xterm and Xaw library vulnerability (XFree86 advisory)

[dawes () XFREE86 ORG (David Dawes)]

-----BEGIN PGP SIGNED MESSAGE-----

 =============================================================================
 XFree86-SA-1998:01                                          Security Advisory
                                                     The XFree86 Project, Inc.

 Topic:         xterm and Xaw library vulnerability
 Announced:     3 May 1998
 Affects:       All XFree86 versions up to and including 3.3.2
 Corrected:     XFree86 3.3.2 patch 1
 XFree86 only:  no

 Patches:       ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1

 =============================================================================

I.   Background

     Xterm is a terminal emulator that is part of the core X Window System,
     and is included in every XFree86 release.  Xaw is the Athena Widgets
     library.  It is also part of the core X Window System, and is also
     included in every XFree86 release.

     The Open Group X Project Team recently provided a vendor advisory
     released by CERT as VB-98.04 regarding vulnerabilities in xterm and
     the Xaw library.  The XFree86 Project has developed a patch to
     XFree86 version 3.3.2, the latest release of the software based on
     X11R6.3.


II.  Problem Description

     Problems exist in both the xterm program and the Xaw library that
     allow user supplied data to cause buffer overflows in both the
     xterm program and any program that uses the Xaw library.  These
     buffer overflows are associated with the processing of data related
     to the inputMethod and preeditType resources (for both xterm and Xaw)
     and the *Keymap resources (for xterm).


III. Impact

     Exploiting these buffer overflows with xterm when it is installed
     setuid-root or with any setuid-root program that uses the Xaw library
     can allow an unprivileged user to gain root access to the system.
     These vulnerabilities can only be exploited by individuals with access
     to the local system.

     Setuid-root programs that use variants of the Xaw library (like Xaw3d)
     may also be vulnerable to the Xaw problems.

     The only setuid-root program using the Xaw library that is supplied
     as part of the standard XFree86 distributions is xterm.  Other
     distributions may include other such programs, including variants
     of xterm.


IV.  Workaround

     The setuid-root programs affected by these problems can be made
     safe by removing their setuid bit.  This should be done for xterm
     and any setuid-root program that uses the Xaw library:

          # chmod 0755 /usr/X11R6/bin/xterm
          # chmod 0755 <setuid-root-program>

     Note that implementing this workaround may reduce the functionality
     of the affected programs.


V.   Solution

     The Open Group's fixes for these problems are currently available
     only to its members (XFree86 is not a member).  XFree86 has
     independently released its own fixes for these problems.  A source
     patch is available now at
     ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch1.

     Updated binaries for most OSs are also available.  The updated
     binaries can be found in the X3321upd.tgz files in the appropriate
     subdirectories of the XFree86 3.3.2 binaries directory
     (ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/).  Information
     about installing the updated binaries can be found in an updated
     version of the XFree86 3.3.2 Release Notes.  A text copy of this
     can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES.
     An on-line copy can be viewed at
     http://www.xfree86.org/3.3.2/RELNOTES.html.

     Note that it is important to follow the instructions in those notes
     carefully, and that both the updated xterm program and Xaw library
     must be installed to fix the problem with xterm.  Also, the
     X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries
     subdirectories still contain the original buggy versions.  When
     doing a new XFree86 3.3.2 installation it is important to extract
     the X3321upd.tgz after extracting the others.


VI.  Checksums

     The following is a list of MD5 digital signatures for the source patch,
     release notes file and updated binaries.

     Filename                        MD5 Digital Signature
     ----------------------------------------------------------------------
     3.3.2-patch1                    e5a66e732d62cf23007d6b939281028a
     RELNOTES                        06d07b8d884b651b131787ec15d04b59
     FreeBSD-2.2.x/X3321upd.tgz      cc2eeeecbaaf72d95776d12e42f1a111
     FreeBSD-3.0/X3321upd.tgz        94b45261d8eb6da4e30580a42338c47e
     Interactive/X3321upd.tgz        f6ed6adc516af50303af4d70f0a93fbe
     Linux-axp/X3321upd.tgz          0fc81d4308f989ea050e84ca7a7c3362
     Linux-ix86-glibc/X3321upd.tgz   bf6b7ddebadd188331c9624dfedf6aa9
     Linux-ix86/X3321upd.tgz         89ac8668a891bcdee8df1ea36fe06248
     LynxOS/X3321upd.tgz             aa065051fe9747b5f36625f3ca956210
     NetBSD-1.3/X3321upd.tgz         7dc31e8e7a230717338cd3587c6e9c9c
     OpenBSD/X3321upd.tgz            9267e76495edadb26621defe368bce2e
     SVR4.0/X3321upd.tgz             54c34dc2de7f789d29063a23b709f0c1
     Solaris/X3321upd.tgz            c102e2912ad7e9571d361083af0de170
     UnixWare/X3321upd.tgz           bf492604de594cdf2ebe9c78552005e8

     These checksums only apply for files obtained from ftp.xfree86.org
     and its mirrors.


VII. Credits

     Richard Braakman                  Analysis of the xterm problems and
                                       fixes for them.
     Tom Dickey                        Integration of xterm fixes.
     Paulo Cesar Pereira de Andrade    Xaw fixes.

 =============================================================================
 The XFree86 Project, Inc

 Web Site:                 http://www.xfree86.org/
 PGP Key:                  ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc
 Advisories:               ftp://ftp.xfree86.org/pub/XFree86/Security/
 Security notifications:   security () xfree86 org
 General support contact:  xfree86 () xfree86 org
 =============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNU3aWknJJ0YV1q5pAQE93QP+LkxhHphL6CpgX/lCJmFR25L2qf8430wk
D530Ih0nmIG86Y9zY6i9BMzgH9nfRl7v6dSX+Ch/+oiR68tyY1LBbuwMSpD+V672
qWuTHYQEJ9ZrrUFf1vc1V2gFKkDy+rMpqyEU6ZShBzPXZ66Lc7dINbf05GZGBdbm
EKjSwesIj/M=
=4dNY
-----END PGP SIGNATURE-----