[2020] in SIPB_Linux_Development
still no rpm fix for xterm/Xaw vulnerabilities
daemon@ATHENA.MIT.EDU (mhpower@MIT.EDU)
Thu May 14 04:36:41 1998
From: mhpower@MIT.EDU
To: linux-dev@MIT.EDU
Cc: bug-xaw@MIT.EDU, yert@MIT.EDU
Date: Thu, 14 May 1998 04:36:19 EDT
As far as I can tell, RedHat still hasn't released any updated rpms
related to the xterm and Xaw buffer-overflow problems that are
mentioned in the "[3 May 1998]" section of http://www.xfree86.org/.
If anyone happens to need a workaround for this problem before RedHat
issues their fix, installing the xterm and libXaw.so.6.1 from
ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/Linux-ix86/X3321upd.tgz
may be worthwhile. Also, some RedHat-Athena machines may have
xterm-color-1.1-3.i386.rpm installed. This includes a separate setuid
root binary, nxterm, which I think has essentially the same
buffer-overflow problems that were found in xterm. Also, nxterm is
built using libXaw3d rather than the standard libXaw, and I think
libXaw3d has essentially the same buffer-overflow problems that were
found in libXaw. So, it's likely that on some systems, a minimum of
four files need to be replaced to fix the problem (i.e., xterm,
nxterm, a libXaw.so file, and a libXaw3d.so file).
I've done some work on getting the xterm/libXaw source patch from
ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1 to work
with the nxterm source code and libXaw3d source code, and I can give
this out if anyone wants it. It's not extensively tested and I haven't
specifically tested the resources whose processing was directly
affected by the patch (preeditType, inputMethod, and *Keymap).
Matt
