mailing list archives
xterm and Xaw library vulnerability (XFree86 advisory)
From: dawes () XFREE86 ORG (David Dawes)
Date: Tue, 5 May 1998 23:52:11 +1000
-----BEGIN PGP SIGNED MESSAGE-----
XFree86-SA-1998:01 Security Advisory
The XFree86 Project, Inc.
Topic: xterm and Xaw library vulnerability
Announced: 3 May 1998
Affects: All XFree86 versions up to and including 3.3.2
Corrected: XFree86 3.3.2 patch 1
XFree86 only: no
Xterm is a terminal emulator that is part of the core X Window System,
and is included in every XFree86 release. Xaw is the Athena Widgets
library. It is also part of the core X Window System, and is also
included in every XFree86 release.
The Open Group X Project Team recently provided a vendor advisory
released by CERT as VB-98.04 regarding vulnerabilities in xterm and
the Xaw library. The XFree86 Project has developed a patch to
XFree86 version 3.3.2, the latest release of the software based on
II. Problem Description
Problems exist in both the xterm program and the Xaw library that
allow user supplied data to cause buffer overflows in both the
xterm program and any program that uses the Xaw library. These
buffer overflows are associated with the processing of data related
to the inputMethod and preeditType resources (for both xterm and Xaw)
and the *Keymap resources (for xterm).
Exploiting these buffer overflows with xterm when it is installed
setuid-root or with any setuid-root program that uses the Xaw library
can allow an unprivileged user to gain root access to the system.
These vulnerabilities can only be exploited by individuals with access
to the local system.
Setuid-root programs that use variants of the Xaw library (like Xaw3d)
may also be vulnerable to the Xaw problems.
The only setuid-root program using the Xaw library that is supplied
as part of the standard XFree86 distributions is xterm. Other
distributions may include other such programs, including variants
The setuid-root programs affected by these problems can be made
safe by removing their setuid bit. This should be done for xterm
and any setuid-root program that uses the Xaw library:
# chmod 0755 /usr/X11R6/bin/xterm
# chmod 0755 <setuid-root-program>
Note that implementing this workaround may reduce the functionality
of the affected programs.
The Open Group's fixes for these problems are currently available
only to its members (XFree86 is not a member). XFree86 has
independently released its own fixes for these problems. A source
patch is available now at
Updated binaries for most OSs are also available. The updated
binaries can be found in the X3321upd.tgz files in the appropriate
subdirectories of the XFree86 3.3.2 binaries directory
about installing the updated binaries can be found in an updated
version of the XFree86 3.3.2 Release Notes. A text copy of this
can be found at ftp://ftp.xfree86.org/pub/XFree86/3.3.2/RELNOTES.
An on-line copy can be viewed at
Note that it is important to follow the instructions in those notes
carefully, and that both the updated xterm program and Xaw library
must be installed to fix the problem with xterm. Also, the
X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries
subdirectories still contain the original buggy versions. When
doing a new XFree86 3.3.2 installation it is important to extract
the X3321upd.tgz after extracting the others.
The following is a list of MD5 digital signatures for the source patch,
release notes file and updated binaries.
Filename MD5 Digital Signature
These checksums only apply for files obtained from ftp.xfree86.org
and its mirrors.
Richard Braakman Analysis of the xterm problems and
fixes for them.
Tom Dickey Integration of xterm fixes.
Paulo Cesar Pereira de Andrade Xaw fixes.
The XFree86 Project, Inc
Web Site: http://www.xfree86.org/
PGP Key: ftp://ftp.xfree86.org/pub/XFree86/Security/key.asc
Security notifications: security () xfree86 org
General support contact: xfree86 () xfree86 org
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----