Fw: CIAC Bulletin H-67: Red Hat Linux X11 Libraries Buffer Overflow

Nicko Demeter nicko at newmedia.net
Sun Jun 1 11:08:48 EEST 1997


Sygnwmhn gia thn diakoph alla opws leme edw sto America: "This just in!!"

Ta ta.....
 ----
From: CIAC Mail User <ciac at tholia.llnl.gov>
To: ciac-bulletin at tholia.llnl.gov
Date: Saturday, May 31, 1997 9:12 PM
Subject: CIAC Bulletin H-67: Red Hat Linux X11 Libraries Buffer Overflow

>-----BEGIN PGP SIGNED MESSAGE-----
>
>             __________________________________________________________
>
>                       The U.S. Department of Energy
>                    Computer Incident Advisory Capability
>                           ___  __ __    _     ___
>                          /       |     /_\   /
>                          \___  __|__  /   \  \___
>             __________________________________________________________
>
>                             INFORMATION BULLETIN
>
>                    Red Hat Linux X11 Libraries Buffer Overflow
>
>May 30, 1997 22:00 GMT                                             Number
H-67
>___________________________________________________________________________
___
>PROBLEM:       A problem has been identified in the X11 libraries that
allows
>               a buffer overflow condition.
>PLATFORM:      This problem affects all Red Hat Linux machines with X
Windows
>               installed.
>DAMAGE:        This vulnerability allows local users to gain unauthorized
root
>               access to a system.
>SOLUTION:      Apply the necessary patches indicated below.
>___________________________________________________________________________
___
>VULNERABILITY  Information involving this vulnerability has been made
publicly
>ASSESSMENT:    available.
>___________________________________________________________________________
___
>
>[  Start Linux Security Alert ]
>
>     Buffer overflow in the resource handling code of the libXt (X11R6)
>
>                              Thu May 29, 1997
>
>                 Distribution of this document is unlimited
>              Copyright (C) Alexander O. Yuriev (alex at yuriev.com)
>                                 Net Access
>
>Abstract
>
>     A buffer overflow was found in the resource handling section of the
X11
>     system (libXt). As this is a problem with libXt iself, every program
>     using libXt is affected, including core programs such as xterm and
>     programs derived from it. Of course only suid and sgid programs can
be
>     exploited to gain access to gain extra priviledges.
>
>Permanent Solution
>
>     The permanent solution requires fixing the libXt. It is recommended
>     that you utilize temporary solution. This buffer overflow does not
>     exist in XFree86 3.3 code. It is recommended that you upgrade to
>     XFree86 3.3 as soon as it becomes available.
>
>     Currently fixed versions of fixed libraries are available for:
>
>        o Red Hat Linux 4.0, 4.1, 4.2 from Red Hat Software
>
>Temporary solution
>
>     The workaround requires identifying and temporary disabling suid
>     programs in the X11R6 tree. The following sequence of commands can
be
>     used to find all suid and sgid programs of the X11 tree:
>
>          $ cd /usr/X11/bin
>          $ find . -type f -a \( -perm -2000 -o -perm -4000 \) -print
>
>     As the output, these commands would produce a list of suid or sgid
>     programs in directories starting from the current working directory
>     (/usr/X11/bin) to the end of the tree. A typical output would look
>     like:
>
>          X
>          xterm
>          dga
>
>     Determine if you use every program in question. Look at the manual
>     pages to see if you really need it at this time. I personally have
no
>     idea why Red Hat did not remove the dga(1) program of the XFree86
>     distribution shipped with Red Hat 4.1 as dga(1) manual page states:
>
>          dga - test program for the Xfree86-DGA extension
>
>     Assuming that the DGA extension is required, the test program should
be
>     used only by "root". Therefore, the suid bit is not needed and
should
>     be removed. Same logic should be applied to other suid/sgid
programs.
>     At this time you probably should remove suid bit from the dga(1) or
at
>     least make it non-world executable. Use commands:
>
>          # chmod 111 dga
>          # chattr +I dga
>
>     to disable suid bit on a dga binary and make it immutable. Use the
same
>     method to evaluate all other suid programs.
>
>     Programs that should be run by root only, should never be suid to
root,
>     or at least should not be world executable. X Display Manager,
xdm(1),
>     falls into this category.
>
>     If you need the functionality provided by the vulnerable program,
>     disable execution for that program and add trusted accounts that
need
>     to run the program into the group which own the program. You must
>     realize that by doing this you are allowing those who have access to
>     the trusted accounts exploit the vulnerability and gain access to
the
>     euid of the program.
>
>XTERM(1) and xterm derived programs
>
>     Unfortunately, you cannot remove suid bit from the xterm(1) and
>     programs derived from it withot losing part of functionality. The
>     advice by authors of exploits from bugtraq to squash suid bit
prevents
>     xterm(1) from changing ownerships of tty devices allowing any user on
a
>     system to read information from terminal devices.
>
>     This looks like a lose-lose situation unless you are willing to
disable
>     xterm(1) program completely (and leave with it being disabled )
until
>     the fixed version becomes available. Basically, you should consider
>     risks of someone from your system running xterm(1) and gaining root
>     access to a system vs. not being able to run xterm(1) at all and vs.
>     running xterm(1) as non-suid application which would allow one user
to
>     intercept keystrokes of another. It is your choice but no matter
what
>     you decide to do, think about the consequences first.
>
>Vendor fixes
>
>   * Red Hat Linux from Red Hat Software
>
>        o Red Hat Linux/Alpha 4.1, 4.2
>
>               ftp://ftp.redhat.com/updates/4.2/alpha/
>                     XFree86-devel-3.2-10.alpha.rpm
>               ftp://ftp.redhat.com/updates/4.2/alpha/
>                     XFree86-libs-3.2-10.alpha.rpm
>               ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
>                     RedHat/XFree86-devel-3.2-10.alpha.rpm
>               ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
>                     RedHat/XFree86-libs-3.2-10.alpha.rpm
>
>        o Red Hat Linux/Intel 4.0, 4.1, 4.2
>
>               ftp://ftp.redhat.com/updates/4.2/i386/
>                     XFree86-devel-3.2-10.i386.rpm
>               ftp://ftp.redhat.com/updates/4.2/i386/
>                     XFree86-libs-3.2-10.i386.rpm
>               ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
>                     RedHat/XFree86-devel-3.2-10.i386.rpm
>               ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
>                     RedHat/XFree86-libs-3.2-10.i386.rpm
>
>        o Red Hat Linux/SPARC 4.0, 4.1, 4.2
>
>               ftp://ftp.redhat.com/updates/4.2/sparc/
>                     X11R6.1-devel-pl1-21.sparc.rpm
>               ftp://ftp.redhat.com/updates/4.2/sparc/
>                     X11R6.1-libs-pl1-21.sparc.rpm
>               ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
>                     RedHat/X11R6.1-devel-pl1-21.sparc.rpm
>               ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
>                     RedHat/X11R6.1-libs-pl1-21.sparc.rpm
>
>          Please verify the signature of RPMs using the rpm --checksig
>          command. The RPMs are signed with the PGP key of Red Hat
Software:
>
>          pub 1024/CBA29BF9 1996/02/20 Red Hat Software, Inc.
>          <redhat at redhat.com>
>
>Acknowledgements
>
>     The exploits were posted in bugtraq mailing list by Ming Zhang. Erik
>     Troan (ewt at redhat.com) from Red Hat Software provided information
about
>     the XFree86 3.3, as well as fixes for the Red Hat Linux
>
>[ End Linux Security Alert ]
>
>___________________________________________________________________________
___
>
>CIAC wishes to acknowledge the contributions of Alexander O. Yuriev and
others
>for the information contained in this bulletin.
>___________________________________________________________________________
___
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
>    Voice:    +1 510-422-8193
>    FAX:      +1 510-423-8002
>    STU-III:  +1 510-423-2604
>    E-mail:   ciac at llnl.gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
>   World Wide Web:      http://ciac.llnl.gov/
>   Anonymous FTP:       ciac.llnl.gov (198.128.39.53)
>   Modem access:        +1 (510) 423-4753 (28.8K baud)
>                        +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
>   information and Bulletins, important computer security information;
>2. CIAC-NOTES for Notes, a collection of computer security articles;
>3. SPI-ANNOUNCE for official news about Security Profile Inspector
>   (SPI) software updates, new features, distribution and
>   availability;
>4. SPI-NOTES, for discussion of problems and solutions regarding the
>   use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called Majordomo, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
>
>E-mail to       ciac-listproc at llnl.gov or majordomo at tholia.llnl.gov:
>        subscribe list-name
>  e.g., subscribe ciac-notes
>
>You will receive an acknowledgment email immediately with a confirmation
>that you will need to mail back to the addresses above, as per the
>instructions in the email.  This is a partial protection to make sure
>you are really the one who asked to be signed up for the list in
question.
>
>If you include the word 'help' in the body of an email to the above
address,
>it will also send back an information file on how to subscribe/unsubscribe,

>get past issues of CIAC bulletins via email, etc.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins.  If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained via WWW at http://www.first.org/.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>H-57: Windows NT/95 Out of Band Data Exploit
>H-58: IRIX runpriv Program Vulnerability
>H-59: Solaris 2.x ps Buffer Overflow Vulnerability
>H-60: Vulnerability in metamail
>H-61: SGI IRIX df, pset, and eject Buffer Overrun Vulnerabilities
>H-62: SGI IRIX ordist, login/scheme Buffer Overrun Vulnerability
>H-63: ftpd Signal Handling Vulnerability
>H-64: SGI IRIX login LOCKOUT parameter Vulnerability
>H-65: SGI IRIX rld Security Vulnerability
>H-66: Vulnerability in suidperl (sperl)
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 4.0 Business Edition
>
>iQCVAwUBM48ctLnzJzdsy3QZAQGljQQAn93d7hkoPVFiDJGyiJvXmHd56dn7cQ7q
>8JYa+1uHC0LT5ZIlsc/sMxCAbO0PmbbiZK1TXMJ5k6XCI/EYEj4rq7rCdRwjoFEx
>LRUdi5djZ/jPUzmsFi//Ky5mVsnFvugNpAReKMwKAbNr5VKDwhYn1VmrK1Y/fJRl
>URTt87HpS4g=
>=1Tl/
>-----END PGP SIGNATURE----- 

--
====================================================================
Gia na mathete pos na xrisimopoiite ton majordomo, stilte e-mail
sto "majordomo at argeas.argos.hol.gr" me 1 grammi sto keimeno: help
Ta archives tis listas einai sto http://www.argos.hol.gr/lists
Gia opoiodipote problima stilte  e-mail ston owner-linux-greek-users
====================================================================



More information about the Linux-greek-users mailing list