Bugtraq mailing list archives
Re: libX11
From: abelits () PHOBOS ILLTEL DENVER CO US (Alex Belits)
Date: Thu, 27 Feb 1997 18:14:46 -0800
On Fri, 28 Feb 1997, Paul Szabo wrote:
A few days ago SNI released an advisory concerning buffer overrun problems in libX11. Their "fix advice" was to upgrade to X11R6.3, or to remove setuid/setgid privileges from vulnerable programs (e.g. xload and xterm). I do not think I can upgrade to the current release of X11: how would I integrate that into Digital Unix (a.k.a. OSF/1)? And I could not give up the functionality of xterm... So instead I wrote the following wrapper, and used it to wrap xload, xterm and xconsole. My wrapper, and the SNI advisory, included below.
Simplier workaround will be just to remove setuid bit. xterm won't write utmp entries or capture console messages (no big loss), xload isn't of much use for non-root, and xconsole shouldn't be started from anywhere but /usr/lib/X11/xdm/Xsetup_0 which runs as root before local user logs in through xdm (it won't hurt to start xload from there, too if necessary). On some other systems only xterm is setuid. In any case hassle of upgrading X is rather minimal unless some really complex changes in configuration were made, and even in that case most of things just can be fixed using backup copies of resource files, fonts and scripts. -- Alex P.S. I haven't confirmed it, but in Digital Unix with CDE I have seen that dtlogin (CDE replacement for xdm) doesn't update cookies between logins. Is it a known bug, misconfiguration or intentional limitation of functionality? There was xdm bug that limited the number of possible cookies (X11R6 fix 13 if I remember it correctly), but that thing seems to just refuse to change cookie in .Xauthority, so they should be unrelated.
Current thread:
- Re: libX11 Paul Szabo (Feb 27)
- Re: libX11 Alex Belits (Feb 27)
- Re: libX11 David Holland (Feb 27)
- <Possible follow-ups>
- Re: libX11 David Sacerdote (Feb 28)
- Re: libX11 Alex Belits (Feb 27)