17th Oct 2002 [SBWID-5756]
COMMAND
XFree86 multiple local and remote vulnerabilities (sumary)
SYSTEMS AFFECTED
XFree86 3.3.6a
XFree86 4.0.1
XFree86 4.0.3
PROBLEM
Per Connectiva Linux advisory, here's a good summary of many XFree86
security bugs reported lately
http://distro.conectiva.com.br/atualizacoes/?idioma=en
- MIT-SHM extension vulnerability
Roberto Zunino discovered a vulnerability in the MIT-SHM extension of
XFree86 prior to versions 4.2.1. The vulnerability allows a local user
who can run XFree86 to gain read/write access to any shared memory
segment in the system. Although the use of shared memory segments to
store trusted data is not a comom practice, by exploiting this
vulnerability the attacker potentially can get and/or change sensitive
information.
- Buffer overflow in glyph clipping for large origin.
A buffer overflow vulnerability[3] was found in the glyph code when
clipping large origins. A remote attacker could exploit this
vulnerability to cause a denial of service and possibly run arbitrary
code by, for example, using a large number of characters through web
page search forms of some web browsers.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2001-0955 to this issue[4].
Additional fixes from the XFree86 CVS tree are listed below and have
also been applied to this update.
- Check for negative reply length/overflow in _XAsyncReply().
Mike A. Harris sent[5] a patch to the XFree86 3.3 source tree to fix an
overflow vulnerability. The vulnerability is also present in XFree86
4.x versions, and the patch was adapted to fix it.
- XDM restrictions bypassed by non existent directory
If the xdm auth directory did not exist, any user could connect to the
Xserver using xdm. This was reported by Galen Hancock and the fix was
made[6] by setting the authComplain variable to true as default. This
is the expected behavior and is specified in the manual page of the xdm
configuration.
- Authentication issues with mmap() on drm devices
Jeff Hartmann sent a fix[7] for a vulnerability in the way the mmap()
system call was being used on DRM devices.
- Kernel security hole in Linux int10 module
Marc La France commited[8] to the XFree86 CVS tree a fix for a
vulnerability in the linux int10 module.
XFree86 3.3.6 compatiblity packages are being upgraded with the latest
branch patches available. The changelog[9] entries from the XFree86
source related to security fixes since our last update are below:
- Avoid DoS attacks on xdm (Keith Packard).
- Check for negative reply length/overflow in _XAsyncReply (Xlib)
(#4601, Mike Harris).
- Fix possible buffer overflow (NOT on stack) in xdm xdmcp code
(patch69 from Red Hat SRPMS).
- Pull in fixes from 4.0.2 for the following problems:
. XlibInt buffer overflow
. libICE denial of service
. XOpenDisplay buffer overflow (#4450, Branden Robinson)
- Fix temp file problem in Imake.rules, InstallManPageAliases
(Matthieu Herrb)
- Pull in fixes from the main branch:
. xfs DoS (Paulo Cesar Pereira de Andrade and Keith Packard),
. _XAsyncReply() Xlib stack corruption,
. Xaw temp file handling (Branden Robinson).
- Safe tempfile handling for imake's probing of glibc version (based
on #4257, Colin Phipps).
- Fix a 1-byte overflow in Xtrans.c (#4182, Aaron Campbell).
- Back port fix for http://www.securityfocus.com/archive/1/139436
from 4.0 (#4181, Matthieu Herrb).
REFERENCES:
1.http://www.xfree86.org/security/
2.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000529&idioma=en
3.http://marc.theaimsgroup.com/?l=vuln-dev&m=100118958310463&w=2
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0955
5.http://www.xfree86.org/devel/archives/patch/2001-Apr/0069.shtml
6.http://www.xfree86.org/pipermail/cvs-commit/2001-October/003140.html
7.http://www.xfree86.org/pipermail/cvs-commit/2001-May/002350.html
8.http://www.xfree86.org/pipermail/cvs-commit/2001-March/001633.html
9.http://cvsweb.xfree86.org/cvsweb/~checkout~/xc/programs/Xserver/hw/xfree86/CHANGELOG?rev=3.390.2.341
SOLUTION
All XFree86 users are advised to upgrade.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
