Home page logo

bugtraq logo Bugtraq mailing list archives

Re: libX11
From: abelits () PHOBOS ILLTEL DENVER CO US (Alex Belits)
Date: Thu, 27 Feb 1997 18:14:46 -0800

On Fri, 28 Feb 1997, Paul Szabo wrote:

A few days ago SNI released an advisory concerning buffer overrun problems
in libX11. Their "fix advice" was to upgrade to X11R6.3, or to remove
setuid/setgid privileges from vulnerable programs (e.g. xload and xterm).

I do not think I can upgrade to the current release of X11: how would I
integrate that into Digital Unix (a.k.a. OSF/1)? And I could not give up the
functionality of xterm...

So instead I wrote the following wrapper, and used it to wrap xload, xterm
and xconsole. My wrapper, and the SNI advisory, included below.

  Simplier workaround will be just to remove setuid bit. xterm won't
write utmp entries or capture console messages (no big loss), xload
isn't of much use for non-root, and xconsole shouldn't be started from
anywhere but /usr/lib/X11/xdm/Xsetup_0 which runs as root before local
user logs in through xdm (it won't hurt to start xload from there, too if
necessary). On some other systems only xterm is setuid.

  In any case hassle of upgrading X is rather minimal unless some really
complex changes in configuration were made, and even in that case most of
things just can be fixed using backup copies of resource files, fonts and


P.S. I haven't confirmed it, but in Digital Unix with CDE I have seen that
dtlogin (CDE replacement for xdm) doesn't update cookies between logins.
Is it a known bug, misconfiguration or intentional limitation of
functionality? There was xdm bug that limited the number of possible
cookies (X11R6 fix 13 if I remember it correctly), but that thing seems to
just refuse to change cookie in .Xauthority, so they should be unrelated.

  By Date           By Thread  

Current thread:
  • Re: libX11 Paul Szabo (Feb 27)
    • Re: libX11 Alex Belits (Feb 28)
    • <Possible follow-ups>
    • Re: libX11 David Sacerdote (Feb 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]