[3278] in bugtraq
Re: Vulnerability in the Xt library
daemon@ATHENA.MIT.EDU (Casper Dik)
Mon Aug 26 12:32:49 1996
Date: Mon, 26 Aug 1996 09:13:10 +0200
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Casper Dik <casper@holland.Sun.COM>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: Your message of "Sun, 25 Aug 1996 22:06:07 MDT."
<199608260406.WAA06840@rover.village.org>
>Or fix xterm such that it doesn't need to be setuid. This usually
>involves hacking the kernel to have saner defaults than are present in
>the BSD kernel. If you could create a pseudo device that was owned by
>the user creating it, xterm wouldn't need to be setuid, if my look at
>the source and conversations I've had with others that understood
>xterm better than I.
System V ptys have this advantage, apart from being much easier to use
and being much more efficient (youdont' need to sewarch for one open
device, you just get one from the kernel).
In Solaris 2.x, there are two programs that handle all of xterms needs:
/usr/lib/pt_chmod - for setting the ownership of a pty
/usr/lib/utmp_update - for updating utmp/wtmp files.
Consequently, Solaris 2.x xterm is not set-uid root.
(SunOS 4.x xterm wasn't set-uid either but it relied on a mode 666 utmp
file [bad] and kept your tty owned by rot [worse]
>This doesn't mean that one shouldn't fix libXt, just that xterm,
>although careful generally, shouldn't need to be setuid root (in an
>ideal world).
Obviously we need to fix libXt. I'm actually quiet appalted that the
X consortium introduced a new buffer overflow in XOpenDisplay in R6.
Casper
