AUSCERT External Security Bulletin Redistribution
                    ESB-98.090 -- XFree86-SA-1998:02
            Library vulnerabilities in Xlib, Xt, Xmu, and Xaw
                                9th June 1998


The XFree86 Project has released the following advisory concerning
vulnerabilities in the Xlib, Xt, Xmu, and Xaw libraries that allow user
supplied data to cause buffer overflows in programs that use these
libraries. Exploiting these buffer overflows with programs installed
setuid-root may allow local users to gain root privileges. The XFree86
Project has developed a patch to XFree86 version 3.3.2.

The following security bulletin is provided as a service to AusCERT's
members.  As AusCERT did not write this document, AusCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for The XFree86 Project is included in the Security
Bulletin below.  If you have any questions or need further information,
please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.
Facsimile:      (07) 3365 7031

- ----------------------------BEGIN INCLUDED TEXT--------------------


 XFree86-SA-1998:02                                          Security Advisory
                                                     The XFree86 Project, Inc.

 Topic:         Library vulnerabilities in Xlib, Xt, Xmu, and Xaw
 Announced:     25 May 1998
 Last Updated:  26 May 1998
 Affects:       All XFree86 versions up to and including 3.3.2
 Corrected:     XFree86 3.3.2 patch 2
 XFree86 only:  no

 Patches:       ftp://ftp.xfree86.org/pub/XFree86/3.3.2/fixes/3.3.2-patch2


I.   Background

     Xlib, Xt, Xmu, and Xaw are libraries included as a part of the core
     X Window System and are also included in every XFree86 release.

     The XFree86 Project has developed a patch to XFree86 version 3.3.2
     which fixes problems found by our team members.  The patch also
     includes an XPT public patch which was recently provided by The
     Open Group for problems found in the Xt library.

II.  Problem Description

     Problems exist in the Xlib, Xt, Xmu, and Xaw libraries that
     allow user supplied data to cause buffer overflows in programs
     that use these libraries.  The buffer overflows may be exploited
     using either X resources or environment variables used by the
     affected libraries.  These buffer overflows are associated
     with the use of fixed length character arrays for temporary storage
     and processing of user supplied data.  In many cases, the length of
     this user supplied data is not checked to make sure that it will fit
     in the provided fixed length array.

III. Impact

     Exploiting these buffer overflows with programs installed setuid-root
     that use any of these libraries can allow an unprivileged user to gain
     root access to the system.  These vulnerabilities can only be exploited
     by individuals with access to the local system.

     The only setuid-root program using these libraries that is supplied
     as part of the standard XFree86 distributions is xterm.  Other
     distributions may include other such programs, including variants
     of xterm.

IV.  Workaround

     The setuid-root programs affected by these problems can be made
     safe by removing their setuid bit.  This should be done for xterm
     and any setuid-root program that uses the affected libraries:

          # chmod 0755 /usr/X11R6/bin/xterm
          # chmod 0755 <setuid-root-program>

     Note that implementing this workaround may reduce the functionality
     of the affected programs.

V.   Solution

     The XFree86 Project team has released fixes for these problems.
     A source patch is available now at

     Updated binaries for most OSs are also available.  The updated
     binaries can be found in the X3322upd.tgz files in the appropriate
     subdirectories of the XFree86 3.3.2 binaries directory
     (ftp://ftp.xfree86.org/pub/XFree86/3.3.2/binaries/).  Information
     about installing the updated binaries can be found in an updated
     version of the XFree86 3.3.2 Release Notes.  A text copy of this
     can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES.
     An on-line copy can be viewed at

     Note that it is important to follow the instructions in those notes
     carefully.  Also, the platform dependent files in the XFree86 3.3.2
     binaries subdirectories still contain the original buggy versions.
     When doing a new XFree86 3.3.2 installation it is important to extract
     the X3322upd.tgz after extracting the others.

     The X3322upd.tgz file is a complete replacement for the previously
     released patch1 binary update file X3321upd.tgz.  It is not necessary
     to install X3321upd.tgz file prior to installing X332upd.tgz.

     The 3.3.2-patch2 source patch file must be applied to the XFree86
     3.3.2 base release after applying the previously released source
     patch file 3.3.2-patch1.

VI.  Checksums

     The following is a list of MD5 digital signatures for the source patch,
     release notes file and updated binaries.

     Filename                        MD5 Digital Signature
     3.3.2-patch2                    ba4752cdab2f73e34020285043d51e14
     RELNOTES                        914af5bee5003b973909403eccf7f180
     FreeBSD-2.2.x/X3322upd.tgz      03e88a106ba0eaeabc3f8fd9f0c209e3
     FreeBSD-3.0/X3322upd.tgz        82bdbaaf872914e0cd6e69c9e5e4e684
     Interactive/X3322upd.tgz        a39839a4bc0d72a8fa181634fd253fa7
     Linux-axp/X3322upd.tgz          d6604b63427758ccb690827d304215d4
     Linux-ix86-glibc/X3322upd.tgz   e94a88e2b4bcd70d7330b3c034232e6c
     Linux-ix86/X3322upd.tgz         d3f0bbad2eba045e8ccd28e8d4bcb95e
     LynxOS/X3322upd.tgz             0e094ddc01ec09df8c18944a4bf4ca33
     NetBSD-1.2/X3322upd.tgz         e97059d4af700d2cfab642ba966a7071
     NetBSD-1.3/X3322upd.tgz         5000176b71d5cc4b246547a8bf7defca
     OpenBSD/X3322upd.tgz            7c677a53aa11fa3ba72e6319f8febabb
     SVR4.0/X3322upd.tgz             8ef26f718baf47451d7b91194f50407d
     Solaris/X3322upd.tgz            8c0098154c755c7cef29e3cd5fcfaf03
     UnixWare/X3322upd.tgz           a0e5d4faa5fb4a3a658c5601929e0475

     These checksums only apply for files obtained from ftp.xfree86.org
     and its mirrors.

VII. Credits

  Topi Miettinen                   found the Xt translation manager
                                   buffer overflows.
  Paulo Cesar Pereira de Andrade   found and fixed the Xmu and related Xaw
                                   buffer overflows.
  David Dawes                      found and fixed various library buffer
                                   overflow problems.
  Theo de Raadt                    pointed out some buffer overflows.
  Tom Dickey                       reviewed and updated TOG's Xaw fix.

 The XFree86 Project, Inc

 Web Site:                 http://www.xfree86.org/
 PGP Key:                  ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc
 Advisories:               ftp://ftp.xfree86.org/pub/XFree86/Security/
 Security notifications:   security@xfree86.org
 General support contact:  xfree86@xfree86.org

Version: 2.6.3a
Charset: noconv


- ----------------------------END INCLUDED TEXT----------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key