Subject: NetBSD Security Advisory 1998-002
To: None <current-users@NetBSD.ORG, netbsd-announce@NetBSD.ORG>
From: matthew green <mrg@eterna.com.au>
List: netbsd-announce
Date: 05/10/1998 22:29:01
-----BEGIN PGP SIGNED MESSAGE-----

                 NetBSD Security Advisory 1998-002
                 ---------------------------------

Topic:		xterm and Xaw library vulnerability
Version:	NetBSD 1.3, 1.3.1
Severity:	local user may gain super-user privileges


Abstract
- --------

Vulnerabilities (buffer overflows) in the xterm(1) and Xaw library
distributed with NetBSD, may allow a local user to gain super-user
privileges.  The `inputMethod' and `preeditType' resources
are vulnerable in both xterm(1) and the Xaw library, with the `*Keymap'
resources also vulnerable in xterm(1).


Technical Details
- -----------------

Several memory copies in the xterm(1) and Xaw library do not properly
bounds check their arguments, allowing the user to overwrite parts of
the processes address space.  By overwriting the programs' stack, it is
possible to change the return value of the current function to the
data written, arbitrary code can be executed, allowing a local user
to gain super-user privileges, as xterm(1) is setuid-root.  Any setuid
program that uses the Xaw library is similarly affected.  In NetBSD,
the only setuid-root X11 programs are xterm(1) and xconsole(1).


Solutions and Workarounds
- -------------------------

A patch is available for the NetBSD 1.3 and NetBSD 1.3.1 X11 source,
which fixes the above problems.  You may find this patch on the NetBSD
ftp server:

    ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/19980503-xsrc

The patch contains details on how to apply it.


Alternatively, by removing the setuid bit on the xterm(1) and
xconsole(1) programs, the problem can be worked out (but with a loss
of functionality).  This can be done with the following command:

    # chmod u-s /usr/X11R6/bin/xconsole /usr/X11R6/bin/xterm


Thanks To
- ---------

Thanks to the The Open Group and CERT for forwarding information about
the problems, Tom E. Dickey <dickey@clark.net> and the XFree86 team for
providing actual fixes for the xterm and Xaw problems, respectively.
Please see http://www.opengroup.org/, http://www.cert.org/ and
http://www.XFree86.org/ for more information about these groups.


More Information
- ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.


Copyright 1998, The NetBSD Foundation.  All Rights Reserved.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.1

iQCVAwUBNVWbfz5Ru2/4N2IFAQGyzQQAsX5sSw2KYD4gwY5bIz8JUfH1bc7gC65V
o65GJ1psgdPElA0HsbSeDOi1bA0BlWVmB3BC0w9Im9gcN+Upj2su56BteyT9kHwe
XVDSFZ+wk6SgQkDhpbZGIL5eDauLJRLc5FLh7p/Myh5Ye/6CTNWI3evtxE1VOtum
mhK3O0fR0zs=
=f0Sv
-----END PGP SIGNATURE-----