[14599] in Athena Bugs
Alas, for Xt
daemon@ATHENA.MIT.EDU (John Hawkinson)
Mon Aug 26 09:22:32 1996
Date: Mon, 26 Aug 1996 09:22:03 -0400
To: bugs@MIT.EDU
Cc: holes@MIT.EDU, moties@MIT.EDU
From: John Hawkinson <jhawk@MIT.EDU>
Folks by now have probably seen mail to bugtraq, et al, regarding the
libXt vulnerabilities (buffer overruns, easiest attack is
get-root-through-setuid-x-clients, eg: xterm).
In the trivial case, this means that those athena platforms that have
setuid xterm binaries are vulnerable (i.e. DECstations (including the
dialups--/srvd/usr/athena/bin/xterm is setuid), and SGIs). It's
conceivable that there may be other subtle interactions that affect
other applications as well (and thus possible Suns).
Recently I seem to recall someone (Greg? Craig?) commenting that some
particular problem couldn't be fixed unless we wanted to go back to
build X11 ourselves. My initial response had been "Of course we should
be building our own X clients!" but it seemed unlikely that would fly.
Folks are working on fixing these buffer overrun problems, and the
XFree86 3.1.2F release (due out this week) should contain the
fix(es). [The XFree86 tree is a branch of the X Consortium tree and
supports all platforms found in standard X11R6.1]
If we were building our own clients (and possible servers, but that's
sticky because of things like DPS), we could easily incorporate fixes
for problems like these in a timely fashion. As it is, we're blocked
on vendors doing so.
While I'm not sure I can safely advocate returning to building X
clients ourselves (given the current staffing state and conflicting
desires of seeing other things done), this should serve as a reminder
of some of the important flexibilty we've lost. I hope we're strongly
pressuring our vendors for a fix to this particular problem.
--jhawk
ps: problems are more deeply-set than the 2-line patch Ollivier Robert
posted to bugtraq this morning. There are a lot more places with buffer
overruns that need to be fixed, though some of them might not be as
security-pertinent...
