[4105] in bugtraq
Re: libX11
daemon@ATHENA.MIT.EDU (Alex Belits)
Fri Feb 28 00:12:07 1997
Date: Thu, 27 Feb 1997 18:14:46 -0800
Reply-To: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
From: Alex Belits <abelits@PHOBOS.ILLTEL.DENVER.CO.US>
X-To: Paul Szabo <szabo_p@MATHS.SU.OZ.AU>
To: BUGTRAQ@netspace.org
In-Reply-To: <9702272116.AA22608@c622.maths.su.oz.au>
On Fri, 28 Feb 1997, Paul Szabo wrote:
> A few days ago SNI released an advisory concerning buffer overrun problems
> in libX11. Their "fix advice" was to upgrade to X11R6.3, or to remove
> setuid/setgid privileges from vulnerable programs (e.g. xload and xterm).
>
> I do not think I can upgrade to the current release of X11: how would I
> integrate that into Digital Unix (a.k.a. OSF/1)? And I could not give up the
> functionality of xterm...
>
> So instead I wrote the following wrapper, and used it to wrap xload, xterm
> and xconsole. My wrapper, and the SNI advisory, included below.
Simplier workaround will be just to remove setuid bit. xterm won't
write utmp entries or capture console messages (no big loss), xload
isn't of much use for non-root, and xconsole shouldn't be started from
anywhere but /usr/lib/X11/xdm/Xsetup_0 which runs as root before local
user logs in through xdm (it won't hurt to start xload from there, too if
necessary). On some other systems only xterm is setuid.
In any case hassle of upgrading X is rather minimal unless some really
complex changes in configuration were made, and even in that case most of
things just can be fixed using backup copies of resource files, fonts and
scripts.
--
Alex
P.S. I haven't confirmed it, but in Digital Unix with CDE I have seen that
dtlogin (CDE replacement for xdm) doesn't update cookies between logins.
Is it a known bug, misconfiguration or intentional limitation of
functionality? There was xdm bug that limited the number of possible
cookies (X11R6 fix 13 if I remember it correctly), but that thing seems to
just refuse to change cookie in .Xauthority, so they should be unrelated.
