Subject: NetBSD Security Advisory 1998-002
To: None <current-users@NetBSD.ORG, netbsd-announce@NetBSD.ORG>
From: matthew green <>
List: netbsd-announce
Date: 05/10/1998 22:29:01

                 NetBSD Security Advisory 1998-002

Topic:		xterm and Xaw library vulnerability
Version:	NetBSD 1.3, 1.3.1
Severity:	local user may gain super-user privileges

- --------

Vulnerabilities (buffer overflows) in the xterm(1) and Xaw library
distributed with NetBSD, may allow a local user to gain super-user
privileges.  The `inputMethod' and `preeditType' resources
are vulnerable in both xterm(1) and the Xaw library, with the `*Keymap'
resources also vulnerable in xterm(1).

Technical Details
- -----------------

Several memory copies in the xterm(1) and Xaw library do not properly
bounds check their arguments, allowing the user to overwrite parts of
the processes address space.  By overwriting the programs' stack, it is
possible to change the return value of the current function to the
data written, arbitrary code can be executed, allowing a local user
to gain super-user privileges, as xterm(1) is setuid-root.  Any setuid
program that uses the Xaw library is similarly affected.  In NetBSD,
the only setuid-root X11 programs are xterm(1) and xconsole(1).

Solutions and Workarounds
- -------------------------

A patch is available for the NetBSD 1.3 and NetBSD 1.3.1 X11 source,
which fixes the above problems.  You may find this patch on the NetBSD
ftp server:


The patch contains details on how to apply it.

Alternatively, by removing the setuid bit on the xterm(1) and
xconsole(1) programs, the problem can be worked out (but with a loss
of functionality).  This can be done with the following command:

    # chmod u-s /usr/X11R6/bin/xconsole /usr/X11R6/bin/xterm

Thanks To
- ---------

Thanks to the The Open Group and CERT for forwarding information about
the problems, Tom E. Dickey <> and the XFree86 team for
providing actual fixes for the xterm and Xaw problems, respectively.
Please see, and for more information about these groups.

More Information
- ----------------

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.

Copyright 1998, The NetBSD Foundation.  All Rights Reserved.

Version: 2.6.1