Package: xlib
Version: ?
We have this bug, don't we ? It should be fixed.
Ian.
------- start of forwarded message (RFC 934 encapsulation) -------
Article: 918 of chiark.mail.linux-security
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
MIME-Version: 1.0
Message-ID: <[EMAIL PROTECTED]>
Newsgroups: chiark.mail.linux-security
Path: ewrotcd!mail-to-news!not-for-mail
Precedence: list
Received-001: from gate.insite.co.uk ([193.123.212.10]) by chiark.chu.cam.ac.uk
with smtp (ident root using rfc1413) id m0uwIIx-0004OtC
(Debian /\oo/\ Smail3.1.29.1 #29.35); Fri, 30 Aug 96 02:23 BST
Received-002: from marmoset.cv.nrao.edu ([EMAIL PROTECTED] [192.33.115.176]) by
gate.insite.co.uk (8.6.9/8.6.12) with ESMTP id AAA24770; Fri, 30 Aug 1996
00:36:56 GMT
Received-003: from tarsier.cv.nrao.edu ([EMAIL PROTECTED] [192.33.115.50]) by
marmoset.cv.nrao.edu (8.6.12/$Revision: 3.22 $) with ESMTP id SAA20072; Thu, 29
Aug 1996 18:39:26 -0400
Received-004: (from [EMAIL PROTECTED]) by tarsier.cv.nrao.edu
(8.6.13/$Revision: 2.10 $) id SAA19717; Thu, 29 Aug 1996 18:40:02 -0400
Return-Path: <[EMAIL PROTECTED]>
X-Mailer: ELM [version 2.4 PL25 PGP2]
X-Original-Date: Thu, 29 Aug 1996 13:35:46 +0200 (MET DST)
X-Original-From_: [EMAIL PROTECTED] Fri Aug 30 02:24:24 1996
Lines: 51
From: Marek Michalkiewicz <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: [linux-security] Re: Vulnerability in the Xt library (fwd)
Date: Fri, 30 Aug 1996 04:52:11 GMT
Following up my previous message... Another message from bugtraq,
which contains a patch to fix the libXt buffer overrun. I haven't
verified if the fix is indeed in the (just released) XFree86-3.1.2F
- - can't get to ftp.xfree86.org right now (too many users), and can't
find this version on mirror sites yet.
Marek
[REW: I'm not sure that this made it into 3.1.2F. The X consortium
fixed a similar bug, which very likely came in too late (the 27th) to
make it into 3.1.2F. As an aside, the release of 3.1.2F was MUCH too
hasty. (These security bugs have nothing to do with that though.)]
> Date: Sun, 25 Aug 1996 22:05:16 -0700
> From: Ollivier Robert <[EMAIL PROTECTED]>
> Subject: Re: Vulnerability in the Xt library (fwd)
> To: Multiple recipients of list BUGTRAQ <[EMAIL PROTECTED]>
> According to John Capo:
> > Stefan `Sec` Zehl writes:
> > > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh
>
> > I can also. The xterm cores on -stable though.
>
> I sent a patch and a portable version of snprintf to both the X consortium
> and Xfree86 yesterday. It will be in 3.1.2F.
>
> If you have XFree sources on-line and are willing to recompile, apply the
> following patch in xc/lib/Xt:
>
> --- Error.c.old Sun Aug 25 14:57:28 1996
> +++ Error.c Sun Aug 25 14:47:14 1996
> @@ -238,5 +238,5 @@
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero( &par[i], (10-i) * sizeof(String) );
> - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> + (void) snprintf(message, sizeof message, buffer, par[0], par[1],
> par[2], par[3],
> par[4], par[5], par[6], par[7], par[8], par[9]);
> XtError(message);
> @@ -263,5 +263,5 @@
> (void) memmove((char*)par, (char*)params, i * sizeof(String) );
> bzero ( &par[i], (10-i) * sizeof(String) );
> - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
> + (void) snprintf(message, sizeof message, buffer, par[0], par[1],
> par[2], par[3],
> par[4], par[5], par[6], par[7], par[8], par[9]);
> XtWarning(message);
>
> --
> Ollivier ROBERT -=- The daemon is FREE! -=- [EMAIL PROTECTED]
> FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996
>
------- end -------
