COMMAND

    Xlib

SYSTEMS AFFECTED

    XFree 3.3.x Xlib

PROBLEM

    Michal Zalewski  posted following.   The problem  is simple  - you
    can  invoke  any  executable  linked  against  Xlib  with -display
    command-line parameter or DISPLAY environment variable in the  way
    which causes trivial stack overflow.  This could happen, as before
    establishing  unix  socket  connection,  socket  path   containing
    user-supplied data is sprintf()ed to small buffer.

    You can  overwrite both  local variables  and return  address with
    limited set of characters (well, limited to digits ;), but  Michal
    strongly believes it  could be exploited  with no difficulties  by
    affecting  only   less  significant   bytes  -   partial   address
    overwriting,  partial  variable  overwriting  -  known techniques.
    Examining  the  stack  and  code  shows  us at least little endian
    machines  are  very   likely  to  be   vulnerable  to   successful
    exploitation.

    So, the impact is:

        DISPLAY=:`perl -e '{print "0"x128}'` any_privledged_X_application

    (or: any_privledged_X_application -display :...)

    Common X client  applications are *term,  games and several  other
    programs that are setuid and linked against Xlib, whenever willing
    to access X server display.

SOLUTION

    It was fixed in XFree86 4.0.