Operating System:

[UNIX/Linux][LINUX][BSD][FreeBSD]

Published:

13 February 2001

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2001.057 

-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                 ESB-2001.057 -- FreeBSD-SA-01:07.xfree86
                  Multiple XFree86 3.3.6 vulnerabilities
                             14 February 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                XFree86
Vendor:                 FreeBSD Ports Collection
Operating System:       FreeBSD
                        BSD
                        Linux
                        Unix
Platform:               i386
                        Alpha
Impact:                 Denial of Service
                        Increased Privileges
Access Required:        Remote
                        Local

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-01:07                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          Multiple XFree86 3.3.6 vulnerabilities

Category:       ports
Module:         XFree86-3.3.6, XFree86-aoutlibs
Announced:      2001-01-23
Credits:        Chris Evans <chris@ferret.lmh.ox.ac.uk>
                Michal Zalewski <lcamtuf@tpi.pl>
Affects:        Ports collection prior to the correction date.
Corrected:      2000-10-24 (XFree86-3.3.6)
Vendor status:  Fixed in XFree86 4.0.1, no patches released by vendor.
FreeBSD only:   NO

I.   Background

XFree86 is a popular X server.  It exists in three versions in the
FreeBSD ports collection: 3.3.6 and 4.0.2, as well as a.out libraries
based on XFree86 3.3.3.

II.  Problem Description

The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple
vulnerabilities that may allow local or remote users to cause a denial
of service attack against a vulnerable X server.  Additionally, local
users may be able to obtain elevated privileges under certain
circumstances.

X server DoS:
  Remote users can, by sending a malformed packet to port 6000 TCP,
  cause the victim's X server to freeze for several minutes. During
  the freeze, the mouse does not move and the screen does not update
  in any way. In addition, the keyboard is unresponsive, including
  console-switch and kill-server key combinations. Non-X processes,
  such as remote command-line logins and non-X applications, are
  unaffected by the freeze.

Xlib holes:
  Due to various coding flaws in libX11, privileged (setuid/setgid)
  programs linked against libX11 may allow local users to obtain
  elevated privileges.

libICE DoS:
  Due to inadequate bounds checking in libICE, a denial of service
  exists with any application using libICE to listen on a network port
  for network services.

The XFree86-aoutlibs port contains the XFree86 libraries from the
3.3.3 release of XFree86, in a.out format suitable for use with
applications in the legacy a.out binaryformat, most notably being the
FreeBSD native version of Netscape.  It is unknown whether Netscape is
vulnerable to the problems described in this advisory, but it believed
that the only potential vulnerability is the libICE denial-of-service
condition described above.

The XFree86 and XFree86-aoutlibs ports are not installed by default
(although XFree86 is available as an installation option in the
FreeBSD installer), nor are they "part of FreeBSD" as such: they are
part of the FreeBSD ports collection, which contains almost 4500
third-party applications in a ready-to-install format.  The ports
collections shipped with FreeBSD 3.5.1 and 4.1.1 contain these problem
since they were discovered after the releases, but the XFree86 problem
was corrected prior to the release of FreeBSD 4.2.  At the time of
advisory release, the XFree86-aoutlibs port has not been corrected.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Local or remote users may cause a denial of service attack against an
X server or certain X applications.  Local users may obtain elevated
privileges with certain X applications.

If you have not chosen to install the XFree86 3.3.6 port/package or
the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or
later, then your system is not vulnerable to this problem.

IV.  Workaround

Deinstall the XFree86-3.3.6 and XFree86-aoutlibs ports/packages, if
you you have installed them.

Note that any statically linked binaries which make use of the
vulnerable XFree86 routines may still be vulnerable to the problems
after deinstallation of the port/package.  However due to the
difficulty of developing a reliable scanning utility for such binaries
no such utility is provided.

V.   Solution

One of the following:

1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6
port.

2) Deinstall the old package and install an XFree86-4.0.2 package
obtained from:

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.2_5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.2_5.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.2_5.tgz

[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.

NOTE: XFree86-3.3.6 packages are no longer made available, only the
newer XFree86-4.0.2 packages.

Note also that the XFree86-aoutlibs port has not yet been fixed: there
is currently no solution to the problem other than removing the
port/package and recompiling any dependent software to use ELF
libraries, or switching to an ELF-based version of the software, if
available (e.g. the BSD/OS or Linux versions of Netscape, as an
alternative to the FreeBSD native version).  The potential impact of
the vulnerabilities to the local environment may be deemed not
sufficiently great to warrant this approach, however.

3) download a new port skeleton for the XFree86-3.3.6 port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: For info see http://www.gnupg.org

iQCVAwUBOm3xpFUuHi5z0oilAQF+zQQAiwIQSv6MemATgo6v2/QwMjttGpbMxbh2
s94CK+aAlbtRlsrBZl6DIWwVydc1C3k6EHnM+NHqwhfOq/yrwp7JDKwVUmvi+5Qx
1UAY8QRu45OednLsyT2qUuNrowjMmkdB0EcsqQq2UvLtN2054m6AmpZk1t3TjGTr
CCOFX30qIn0=
=pI+q
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOoqhfSh9+71yA2DNAQGP4wP9HS+C1o1c/uPnHrD2+/u17nduCpdvIB6U
82blhj7u+r+V7TXK1HjSe2s2ydF1fq1Y5ZaSjXTZktg6yEmKWvZm2EmcLL5aRFSF
Ek1Jc97YqpB+abr9PbXt1ptbyiQn3XYPIht0j2S3KkK1tfybkTC+MmpUxyzEOb9d
G2R5o1/6ZWE=
=8s3Z
-----END PGP SIGNATURE-----