-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-98.090 -- XFree86-SA-1998:02
Library vulnerabilities in Xlib, Xt, Xmu, and Xaw
9th June 1998
The XFree86 Project has released the following advisory concerning
vulnerabilities in the Xlib, Xt, Xmu, and Xaw libraries that allow user
supplied data to cause buffer overflows in programs that use these
libraries. Exploiting these buffer overflows with programs installed
setuid-root may allow local users to gain root privileges. The XFree86
Project has developed a patch to XFree86 version 3.3.2.
The following security bulletin is provided as a service to AusCERT's
members. As AusCERT did not write this document, AusCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when the original bulletin is. If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.
Contact information for The XFree86 Project is included in the Security
Bulletin below. If you have any questions or need further information,
please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Internet Email: email@example.com
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Facsimile: (07) 3365 7031
- ----------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
XFree86-SA-1998:02 Security Advisory
The XFree86 Project, Inc.
Topic: Library vulnerabilities in Xlib, Xt, Xmu, and Xaw
Announced: 25 May 1998
Last Updated: 26 May 1998
Affects: All XFree86 versions up to and including 3.3.2
Corrected: XFree86 3.3.2 patch 2
XFree86 only: no
Xlib, Xt, Xmu, and Xaw are libraries included as a part of the core
X Window System and are also included in every XFree86 release.
The XFree86 Project has developed a patch to XFree86 version 3.3.2
which fixes problems found by our team members. The patch also
includes an XPT public patch which was recently provided by The
Open Group for problems found in the Xt library.
II. Problem Description
Problems exist in the Xlib, Xt, Xmu, and Xaw libraries that
allow user supplied data to cause buffer overflows in programs
that use these libraries. The buffer overflows may be exploited
using either X resources or environment variables used by the
affected libraries. These buffer overflows are associated
with the use of fixed length character arrays for temporary storage
and processing of user supplied data. In many cases, the length of
this user supplied data is not checked to make sure that it will fit
in the provided fixed length array.
Exploiting these buffer overflows with programs installed setuid-root
that use any of these libraries can allow an unprivileged user to gain
root access to the system. These vulnerabilities can only be exploited
by individuals with access to the local system.
The only setuid-root program using these libraries that is supplied
as part of the standard XFree86 distributions is xterm. Other
distributions may include other such programs, including variants
The setuid-root programs affected by these problems can be made
safe by removing their setuid bit. This should be done for xterm
and any setuid-root program that uses the affected libraries:
# chmod 0755 /usr/X11R6/bin/xterm
# chmod 0755 <setuid-root-program>
Note that implementing this workaround may reduce the functionality
of the affected programs.
The XFree86 Project team has released fixes for these problems.
A source patch is available now at
Updated binaries for most OSs are also available. The updated
binaries can be found in the X3322upd.tgz files in the appropriate
subdirectories of the XFree86 3.3.2 binaries directory
about installing the updated binaries can be found in an updated
version of the XFree86 3.3.2 Release Notes. A text copy of this
can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES.
An on-line copy can be viewed at
Note that it is important to follow the instructions in those notes
carefully. Also, the platform dependent files in the XFree86 3.3.2
binaries subdirectories still contain the original buggy versions.
When doing a new XFree86 3.3.2 installation it is important to extract
the X3322upd.tgz after extracting the others.
The X3322upd.tgz file is a complete replacement for the previously
released patch1 binary update file X3321upd.tgz. It is not necessary
to install X3321upd.tgz file prior to installing X332upd.tgz.
The 3.3.2-patch2 source patch file must be applied to the XFree86
3.3.2 base release after applying the previously released source
patch file 3.3.2-patch1.
The following is a list of MD5 digital signatures for the source patch,
release notes file and updated binaries.
Filename MD5 Digital Signature
These checksums only apply for files obtained from ftp.xfree86.org
and its mirrors.
Topi Miettinen found the Xt translation manager
Paulo Cesar Pereira de Andrade found and fixed the Xmu and related Xaw
David Dawes found and fixed various library buffer
Theo de Raadt pointed out some buffer overflows.
Tom Dickey reviewed and updated TOG's Xaw fix.
The XFree86 Project, Inc
Web Site: http://www.xfree86.org/
PGP Key: ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc
Security notifications: firstname.lastname@example.org
General support contact: email@example.com
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- ----------------------------END INCLUDED TEXT----------------------
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----