COMMAND
xc/lib/Xt/Error.c
SYSTEMS AFFECTED
Berkeley Software Design, Inc. (BSDI)
Digital Equipment Corporation (DEC)
FreeBSD, Inc.
Hewlett-Packard Company
IBM Corporation
Silicon Graphics Inc.
The Santa Cruz Operation, Inc. (SCO) (maybe)
Sun Microsystems, Inc.
PROBLEM
The following text is based on CERT advisory. There have been
discussions on public mailing lists about buffer overflows in the
Xt library of the X Windowing System made freely available by The
Open Group (and previously by the now-defunct X Consortium).
During these discussions, exploitation scripts were made
available for some platforms.
The specific problem outlined in those discussions was a buffer
overflow condition in the Xt library and the file
xc/lib/Xt/Error.c. It was possible for a user to execute
arbitrary instructions as a privileged user using a program built
by this distribution with setuid or setgid bits set.
Note that in this case a root compromise was only possible when
programs built from this distribution (e.g., xterm) were setuid
root.
If you use a distribution of the X Windowing System earlier than
X11 Release 6.3 that you downloaded and compiled yourself, you
are encourage to take the steps outlined Solution Section.
Platforms that have X applications built with the setuid or
setgid bits set may be vulnerable to buffer overflow conditions.
These conditions can make it possible for a local user to execute
arbitrary instructions as a privileged user without
authorization. Access to an account on the system is necessary
for exploitation.
SOLUTION
If any X tools that you are using are potentially vulnerable, you
are encourage to take one of the following steps. If the setuid
or setgid bits are not enabled on any of the tools in your
distribution, you do not need to take any of the steps listed
below.
For distributions that were built directly from the source code
supplied by The Open Group (and previously by the X Consortium),
we encourage you to apply solutions mentioned below.
You should upgrade to X11 Release 6.3. If you download and build
your own distributions directly from the source code, you are
encourage to install the latest version, X11 Release 6.3. The
source code can be obtained from:
ftp://ftp.x.org/pub/R6.3/tars/xc-1.tar.gz
ftp://ftp.x.org/pub/R6.3/tars/xc-2.tar.gz
ftp://ftp.x.org/pub/R6.3/tars/xc-3.tar.gz
You can also install a patch from your vendor if exist. This is
list of vendors that are investigating this problem:
The Santa Cruz Operation, Inc. (SCO)
Sun Microsystems, Inc.
List below is list of vendors who provided solution to this
problem:
Berkeley Software Design, Inc. (BSDI)
=====================================
We released a patch for this for the 2.1 BSD/OS release, and it's
already fixed in our current release.
Digital Equipment Corporation (DEC)
===================================
At the time of writing this document (May 1997), patches(binary
kits) are in progress and final testing is expected to begin soon.
Digital will provide notice of the completion/availability of the
patches through AES services (DIA, DSNlink FLASH) and be available
from your normal Digital Support channel.
FreeBSD, Inc.
=============
We're aware of the problem and are trying to correct it with a
new release of the Xt library.
Hewlett-Packard Company
=======================
For HP-UX, Install the applicable patches:
PHSS_10167 9.X X11R5/Motif1.2 Runtime
PHSS_10168 9.X X11R5/Motif1.2 Development
PHSS_9809 10.0X X11R5/Motif1.2 Runtime (also for 10.10)
PHSS_9810 10.0X X11R5/Motif1.2 Development
PHSS_9809 10.10 X11R5/Motif1.2 Runtime (also for 10.0X)
PHSS_9811 10.10 X11R5/Motif1.2 Development
PHSS_10688 10.20 X11R5/Motif1.2 Runtime
PHSS_9813 10.20 X11R5/Motif1.2 Development
PHSS_10789 10.20 X11R6/Motif1.2 Runtime
PHSS_9815 10.20 X11R6/Motif1.2 Development
PHSS_11021 10.24 VVOS X/Motif Runtime July97 Periodic patch
IBM Corporation
===============
AIX 3.2 APAR - IX61784,IX67047,IX66713 (PTF - U445908,U447740)
AIX 4.1 APAR - IX61031 IX66736 IX66449
AIX 4.2 APAR - IX66824 IX66352
NEC Corporation
===============
EWS-UX/V(Rel4.2) R7.x - R10.x vulnerable
EWS-UX/V(Rel4.2MP) R10.x vulnerable
UP-UX/V(Rel4.2MP) R5.x - R7.x vulnerable
UX/4800 R11.x - current vulnerable
Patches for this vulnerability are in progress.
Silicon Graphics Inc.
=====================
Patches are:
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x yes not avail Upgrade
IRIX 5.0.x yes not avail Upgrade
IRIX 5.1.x yes not avail Upgrade
IRIX 5.2 yes not avail Upgrade
IRIX 5.3 yes 2155
IRIX 6.0.x yes not avail Upgrade
IRIX 6.1 yes not avail Upgrade
IRIX 6.2 yes 2154
IRIX 6.3 yes 2153
IRIX 6.4 yes 2396
Sun Microsystems
================
The vulnerabilities in libXt are fixed by the following patches:
OS version Patch ID
__________ ________
SunOS 5.5.1 104338-02
SunOS 5.5.1_x86 105105-01
SunOS 5.5 104337-02
SunOS 5.5_x86 105104-01
SunOS 5.4 105075-01
SunOS 5.4_x86 105103-01
SunOS 5.3 101429-04
SunOS 4.1.4 100512-05
SunOS 4.1.3_U1 100512-05
If you can't apply one of these solutions, remove suid bits.