COMMAND

    libXt

SYSTEMS AFFECTED

    RedHat 4.0, 4.1, 4.2

PROBLEM

    A buffer overflow  was found in  the resource handling  section of
    the X11  system (libXt).  As this  is a  problem with libXt iself,
    every program  using libXt  is affected,  including core  programs
    such as xterm  and programs derived  from it. Of  course only suid
    and sgid programs  can be exploited  to gain access  to gain extra
    priviledges.  Credit for info goes to Alexander O. Yuriev.

SOLUTION

    The workaround requires  identifying and temporary  disabling suid
    programs in  the X11R6  tree. The  following sequence  of commands
    can be used to find all suid and sgid programs of the X11 tree:

        $ cd /usr/X11/bin
        $ find . -type f -a \( -perm -2000 -o -perm -4000 \) -print

    The  permanent  solution   requires  fixing  the   libXt.  It   is
    recommended  that  you  utilize  temporary  solution.  This buffer
    overflow does  not exist  in XFree86  3.3 code.  It is recommended
    that you upgrade to XFree86 3.3 as soon as it becomes available.

    Currently fixed versions of fixed libraries are available for:

    o Red Hat Linux/Alpha 4.1, 4.2
        ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-devel-3.2-10.alpha.rpm
        ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-libs-3.2-10.alpha.rpm
        ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-devel-3.2-10.alpha.rpm
        ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-libs-3.2-10.alpha.rpm

    o Red Hat Linux/Intel 4.0, 4.1, 4.2
        ftp://ftp.redhat.com/updates/4.2/i386/XFree86-devel-3.2-10.i386.rpm
        ftp://ftp.redhat.com/updates/4.2/i386/XFree86-libs-3.2-10.i386.rpm
        ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-devel-3.2-10.i386.rpm
        ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/XFree86-libs-3.2-10.i386.rpm

    o Red Hat Linux/SPARC 4.0, 4.1, 4.2
        ftp://ftp.redhat.com/updates/4.2/sparc/X11R6.1-devel-pl1-21.sparc.rpm
        ftp://ftp.redhat.com/updates/4.2/sparc/X11R6.1-libs-pl1-21.sparc.rpm
        ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/X11R6.1-devel-pl1-21.sparc.rpm
        ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/X11R6.1-libs-pl1-21.sparc.rpm