Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps N-Z :: lnx5756.htm

XFree86 multiple local and remote vulnerabilities (sumary)



17th Oct 2002 [SBWID-5756]
COMMAND

	XFree86 multiple local and remote vulnerabilities (sumary)

SYSTEMS AFFECTED

	 XFree86 3.3.6a

	 XFree86 4.0.1

	 XFree86 4.0.3

PROBLEM

	Per Connectiva Linux advisory, here's a good  summary  of  many  XFree86
	security bugs reported lately
	

	 http://distro.conectiva.com.br/atualizacoes/?idioma=en

	

	

	 - MIT-SHM extension vulnerability

	 

	Roberto Zunino discovered a vulnerability in the  MIT-SHM  extension  of
	XFree86 prior to versions 4.2.1. The vulnerability allows a  local  user
	who can run XFree86 to gain  read/write  access  to  any  shared  memory
	segment in the system. Although the use of  shared  memory  segments  to
	store  trusted  data  is  not  a  comom  practice,  by  exploiting  this
	vulnerability the attacker potentially can get and/or  change  sensitive
	information.
	

	 - Buffer overflow in glyph clipping for large origin.

	 

	A buffer overflow vulnerability[3] was found  in  the  glyph  code  when
	clipping  large  origins.  A  remote   attacker   could   exploit   this
	vulnerability to cause a denial of service and  possibly  run  arbitrary
	code by, for example, using a large number  of  characters  through  web
	page search forms of some web browsers.
	 

	The Common Vulnerabilities and  Exposures  project  (cve.mitre.org)  has
	assigned the name CAN-2001-0955 to this issue[4].
	 

	Additional fixes from the XFree86 CVS tree are  listed  below  and  have
	also been applied to this update.
	 

	 - Check for negative reply length/overflow in _XAsyncReply().

	 

	Mike A. Harris sent[5] a patch to the XFree86 3.3 source tree to fix  an
	overflow vulnerability. The vulnerability is  also  present  in  XFree86
	4.x versions, and the patch was adapted to fix it.
	

	 - XDM restrictions bypassed by non existent directory

	 

	If the xdm auth directory did not exist, any user could connect  to  the
	Xserver using xdm. This was reported by Galen Hancock and  the  fix  was
	made[6] by setting the authComplain variable to true  as  default.  This
	is the expected behavior and is specified in the manual page of the  xdm
	configuration.
	 

	 - Authentication issues with mmap() on drm devices

	 

	Jeff Hartmann sent a fix[7] for a vulnerability in the  way  the  mmap()
	system call was being used on DRM devices.
	 

	 - Kernel security hole in Linux int10 module

	

	Marc La France  commited[8]  to  the  XFree86  CVS  tree  a  fix  for  a
	vulnerability in the linux int10 module.
	 

	XFree86 3.3.6 compatiblity packages are being upgraded with  the  latest
	branch patches available. The  changelog[9]  entries  from  the  XFree86
	source related to security fixes since our last update are below:
	

	 - Avoid DoS attacks on xdm (Keith Packard).

	 - Check for negative reply length/overflow in _XAsyncReply (Xlib)

	   (#4601, Mike Harris).

	 - Fix possible buffer overflow (NOT on stack) in xdm xdmcp code

	   (patch69 from Red Hat SRPMS).

	 - Pull in fixes from 4.0.2 for the following problems:

	   . XlibInt buffer overflow

	   . libICE denial of service

	   . XOpenDisplay buffer overflow (#4450, Branden Robinson)

	 - Fix temp file problem in Imake.rules, InstallManPageAliases

	   (Matthieu Herrb)

	 - Pull in fixes from the main branch:

	   . xfs DoS (Paulo Cesar Pereira de Andrade and Keith Packard),

	   . _XAsyncReply() Xlib stack corruption,

	   . Xaw temp file handling (Branden Robinson).

	 - Safe tempfile handling for imake's probing of glibc version (based

	   on #4257, Colin Phipps).

	 - Fix a 1-byte overflow in Xtrans.c (#4182, Aaron Campbell).

	 - Back port fix for http://www.securityfocus.com/archive/1/139436

	   from 4.0 (#4181, Matthieu Herrb).

	

	REFERENCES:
	

	 1.http://www.xfree86.org/security/

	 2.http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000529&idioma=en

	 3.http://marc.theaimsgroup.com/?l=vuln-dev&m=100118958310463&w=2

	 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0955

	 5.http://www.xfree86.org/devel/archives/patch/2001-Apr/0069.shtml

	 6.http://www.xfree86.org/pipermail/cvs-commit/2001-October/003140.html

	 7.http://www.xfree86.org/pipermail/cvs-commit/2001-May/002350.html

	 8.http://www.xfree86.org/pipermail/cvs-commit/2001-March/001633.html

	 9.http://cvsweb.xfree86.org/cvsweb/~checkout~/xc/programs/Xserver/hw/xfree86/CHANGELOG?rev=3.390.2.341

	

SOLUTION

	All XFree86 users are advised to upgrade.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH