From ollivier.robert@eurocontrol.fr Mon Sep 2 19:45:18 1996 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id TAA06747 for ; Mon, 2 Sep 1996 19:43:46 +1000 Received: from atena.eurocontrol.fr (atena.uneec.eurocontrol.fr [147.196.69.10]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id BAA10950 for ; Mon, 2 Sep 1996 01:51:54 -0700 (PDT) Received: by atena.eurocontrol.fr; (5.65v3.2/1.3/10May95) id AA19043; Mon, 2 Sep 1996 10:48:24 +0200 Received: from mozart.eurocontrol.fr by eurocontrol.fr with ESMTP (1.37.109.16/16.2) id AA011754090; Mon, 2 Sep 1996 10:48:11 +0200 Message-Id: <199609020848.AA011754090@euro.eurocontrol.fr> Received: by mozart.eurocontrol.fr (1.37.109.16/16.2) id AA125374048; Mon, 2 Sep 1996 10:47:28 +0200 Date: Mon, 2 Sep 1996 10:47:27 +0200 From: ollivier.robert@eurocontrol.fr (Ollivier Robert) To: best-of-security@suburbia.net Subject: Re: BoS: Vulnerability in the Xt library In-Reply-To: <199609011418.AAA19394@suburbia.net>; from Julian Assange on Sep 2, 1996 0:18:07 +1000 References: <199609011418.AAA19394@suburbia.net> X-Mailer: Mutt 0.41 Mime-Version: 1.0 According to Julian Assange: > There exists at least one vulnerability in the Xt library caused by a buffer > overrun that allows arbitrary code to be executed. This vulnerability > exists in the Xt library itself. As such all programs linked with it > that are suid root or can be coerced into running as root are vulnerable. > The standard example is of curse suid xterm. The vulnerability has > been confirmed under FreeBSD, Solaris, and as far as we can tell every > single other OS running all revisions of X11. For the record: the fix involves changing sprintf calls in Error.c with snprintf in the default Error and Warning handler. You must have snprintf in your libc or get the portable version that was posted in Bugtraq when the syslog was discovered. XFree86 3.1.2F, out last week is supposed to have the fix. I haven't checked this because source code for beta versions is not disclosed but I sent both the fix and the portable snprintf to the XFree86 folks. -- Ollivier ROBERT -=- Eurocontrol EEC/TIS -=- Ollivier.Robert@eurocontrol.fr