Fw: CIAC Bulletin H-67: Red Hat Linux X11 Libraries Buffer Overflow
Nicko Demeter
nicko at newmedia.net
Sun Jun 1 11:08:48 EEST 1997
Sygnwmhn gia thn diakoph alla opws leme edw sto America: "This just in!!"
Ta ta.....
----
From: CIAC Mail User <ciac at tholia.llnl.gov>
To: ciac-bulletin at tholia.llnl.gov
Date: Saturday, May 31, 1997 9:12 PM
Subject: CIAC Bulletin H-67: Red Hat Linux X11 Libraries Buffer Overflow
>-----BEGIN PGP SIGNED MESSAGE-----
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Red Hat Linux X11 Libraries Buffer Overflow
>
>May 30, 1997 22:00 GMT Number
H-67
>___________________________________________________________________________
___
>PROBLEM: A problem has been identified in the X11 libraries that
allows
> a buffer overflow condition.
>PLATFORM: This problem affects all Red Hat Linux machines with X
Windows
> installed.
>DAMAGE: This vulnerability allows local users to gain unauthorized
root
> access to a system.
>SOLUTION: Apply the necessary patches indicated below.
>___________________________________________________________________________
___
>VULNERABILITY Information involving this vulnerability has been made
publicly
>ASSESSMENT: available.
>___________________________________________________________________________
___
>
>[ Start Linux Security Alert ]
>
> Buffer overflow in the resource handling code of the libXt (X11R6)
>
> Thu May 29, 1997
>
> Distribution of this document is unlimited
> Copyright (C) Alexander O. Yuriev (alex at yuriev.com)
> Net Access
>
>Abstract
>
> A buffer overflow was found in the resource handling section of the
X11
> system (libXt). As this is a problem with libXt iself, every program
> using libXt is affected, including core programs such as xterm and
> programs derived from it. Of course only suid and sgid programs can
be
> exploited to gain access to gain extra priviledges.
>
>Permanent Solution
>
> The permanent solution requires fixing the libXt. It is recommended
> that you utilize temporary solution. This buffer overflow does not
> exist in XFree86 3.3 code. It is recommended that you upgrade to
> XFree86 3.3 as soon as it becomes available.
>
> Currently fixed versions of fixed libraries are available for:
>
> o Red Hat Linux 4.0, 4.1, 4.2 from Red Hat Software
>
>Temporary solution
>
> The workaround requires identifying and temporary disabling suid
> programs in the X11R6 tree. The following sequence of commands can
be
> used to find all suid and sgid programs of the X11 tree:
>
> $ cd /usr/X11/bin
> $ find . -type f -a \( -perm -2000 -o -perm -4000 \) -print
>
> As the output, these commands would produce a list of suid or sgid
> programs in directories starting from the current working directory
> (/usr/X11/bin) to the end of the tree. A typical output would look
> like:
>
> X
> xterm
> dga
>
> Determine if you use every program in question. Look at the manual
> pages to see if you really need it at this time. I personally have
no
> idea why Red Hat did not remove the dga(1) program of the XFree86
> distribution shipped with Red Hat 4.1 as dga(1) manual page states:
>
> dga - test program for the Xfree86-DGA extension
>
> Assuming that the DGA extension is required, the test program should
be
> used only by "root". Therefore, the suid bit is not needed and
should
> be removed. Same logic should be applied to other suid/sgid
programs.
> At this time you probably should remove suid bit from the dga(1) or
at
> least make it non-world executable. Use commands:
>
> # chmod 111 dga
> # chattr +I dga
>
> to disable suid bit on a dga binary and make it immutable. Use the
same
> method to evaluate all other suid programs.
>
> Programs that should be run by root only, should never be suid to
root,
> or at least should not be world executable. X Display Manager,
xdm(1),
> falls into this category.
>
> If you need the functionality provided by the vulnerable program,
> disable execution for that program and add trusted accounts that
need
> to run the program into the group which own the program. You must
> realize that by doing this you are allowing those who have access to
> the trusted accounts exploit the vulnerability and gain access to
the
> euid of the program.
>
>XTERM(1) and xterm derived programs
>
> Unfortunately, you cannot remove suid bit from the xterm(1) and
> programs derived from it withot losing part of functionality. The
> advice by authors of exploits from bugtraq to squash suid bit
prevents
> xterm(1) from changing ownerships of tty devices allowing any user on
a
> system to read information from terminal devices.
>
> This looks like a lose-lose situation unless you are willing to
disable
> xterm(1) program completely (and leave with it being disabled )
until
> the fixed version becomes available. Basically, you should consider
> risks of someone from your system running xterm(1) and gaining root
> access to a system vs. not being able to run xterm(1) at all and vs.
> running xterm(1) as non-suid application which would allow one user
to
> intercept keystrokes of another. It is your choice but no matter
what
> you decide to do, think about the consequences first.
>
>Vendor fixes
>
> * Red Hat Linux from Red Hat Software
>
> o Red Hat Linux/Alpha 4.1, 4.2
>
> ftp://ftp.redhat.com/updates/4.2/alpha/
> XFree86-devel-3.2-10.alpha.rpm
> ftp://ftp.redhat.com/updates/4.2/alpha/
> XFree86-libs-3.2-10.alpha.rpm
> ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
> RedHat/XFree86-devel-3.2-10.alpha.rpm
> ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
> RedHat/XFree86-libs-3.2-10.alpha.rpm
>
> o Red Hat Linux/Intel 4.0, 4.1, 4.2
>
> ftp://ftp.redhat.com/updates/4.2/i386/
> XFree86-devel-3.2-10.i386.rpm
> ftp://ftp.redhat.com/updates/4.2/i386/
> XFree86-libs-3.2-10.i386.rpm
> ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
> RedHat/XFree86-devel-3.2-10.i386.rpm
> ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
> RedHat/XFree86-libs-3.2-10.i386.rpm
>
> o Red Hat Linux/SPARC 4.0, 4.1, 4.2
>
> ftp://ftp.redhat.com/updates/4.2/sparc/
> X11R6.1-devel-pl1-21.sparc.rpm
> ftp://ftp.redhat.com/updates/4.2/sparc/
> X11R6.1-libs-pl1-21.sparc.rpm
> ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
> RedHat/X11R6.1-devel-pl1-21.sparc.rpm
> ftp://ftp.aoy.com/pub/Linux/security/DISTRIBUTION-FIXES/
> RedHat/X11R6.1-libs-pl1-21.sparc.rpm
>
> Please verify the signature of RPMs using the rpm --checksig
> command. The RPMs are signed with the PGP key of Red Hat
Software:
>
> pub 1024/CBA29BF9 1996/02/20 Red Hat Software, Inc.
> <redhat at redhat.com>
>
>Acknowledgements
>
> The exploits were posted in bugtraq mailing list by Ming Zhang. Erik
> Troan (ewt at redhat.com) from Red Hat Software provided information
about
> the XFree86 3.3, as well as fixes for the Red Hat Linux
>
>[ End Linux Security Alert ]
>
>___________________________________________________________________________
___
>
>CIAC wishes to acknowledge the contributions of Alexander O. Yuriev and
others
>for the information contained in this bulletin.
>___________________________________________________________________________
___
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac at llnl.gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
> World Wide Web: http://ciac.llnl.gov/
> Anonymous FTP: ciac.llnl.gov (198.128.39.53)
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
>2. CIAC-NOTES for Notes, a collection of computer security articles;
>3. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
>4. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called Majordomo, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
>
>E-mail to ciac-listproc at llnl.gov or majordomo at tholia.llnl.gov:
> subscribe list-name
> e.g., subscribe ciac-notes
>
>You will receive an acknowledgment email immediately with a confirmation
>that you will need to mail back to the addresses above, as per the
>instructions in the email. This is a partial protection to make sure
>you are really the one who asked to be signed up for the list in
question.
>
>If you include the word 'help' in the body of an email to the above
address,
>it will also send back an information file on how to subscribe/unsubscribe,
>get past issues of CIAC bulletins via email, etc.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins. If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained via WWW at http://www.first.org/.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>H-57: Windows NT/95 Out of Band Data Exploit
>H-58: IRIX runpriv Program Vulnerability
>H-59: Solaris 2.x ps Buffer Overflow Vulnerability
>H-60: Vulnerability in metamail
>H-61: SGI IRIX df, pset, and eject Buffer Overrun Vulnerabilities
>H-62: SGI IRIX ordist, login/scheme Buffer Overrun Vulnerability
>H-63: ftpd Signal Handling Vulnerability
>H-64: SGI IRIX login LOCKOUT parameter Vulnerability
>H-65: SGI IRIX rld Security Vulnerability
>H-66: Vulnerability in suidperl (sperl)
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 4.0 Business Edition
>
>iQCVAwUBM48ctLnzJzdsy3QZAQGljQQAn93d7hkoPVFiDJGyiJvXmHd56dn7cQ7q
>8JYa+1uHC0LT5ZIlsc/sMxCAbO0PmbbiZK1TXMJ5k6XCI/EYEj4rq7rCdRwjoFEx
>LRUdi5djZ/jPUzmsFi//Ky5mVsnFvugNpAReKMwKAbNr5VKDwhYn1VmrK1Y/fJRl
>URTt87HpS4g=
>=1Tl/
>-----END PGP SIGNATURE-----
--
====================================================================
Gia na mathete pos na xrisimopoiite ton majordomo, stilte e-mail
sto "majordomo at argeas.argos.hol.gr" me 1 grammi sto keimeno: help
Ta archives tis listas einai sto http://www.argos.hol.gr/lists
Gia opoiodipote problima stilte e-mail ston owner-linux-greek-users
====================================================================
More information about the Linux-greek-users
mailing list