Goswin von Brederlow wrote: > concerning your > > 1. Unsafe resource file reading. > > and > > 2. Unsafe XSHISENLIB environment variable. > > Both of them, if exploitable, would be bugs in the Xrm or Xpm library > respectively. > > The same argument can probably made against pretty much any X > application and X itself. There is a lot of software that just loads > in user defined xpm files and such.
Actually there's very little software that is suid/sgid and reads in user-controlled X resource files. In fact xshisen is the only such program I know of, aside from X itself (which I assume does so securely). I think that hole is likely exploitable, and it's not a bug in X, especially given the documentation. It is a bug in the xpm library when a malformed xpm can be exploited. Such holes have been found before (CAN-2004-0914). However, such xpm bugs typically don't let a local user increase their permissions. The fact that xshisen turns a xpm exploit into a gid games exploit is a design hole in xshisen. -- see shy jo
signature.asc
Description: Digital signature
