-----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------------ Debian Security Advisory DSA-030-1 security@debian.org http://www.debian.org/security/ Wichert Akkerman February 12, 2001 - ------------------------------------------------------------------------ Package : xfree86-1 Vulnerability : buffer overflow, insecure tempfile handling, denial-of-service attack Debian-specific: no Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox, and others have noted a number of problems in several components of the X Window System sample implementation (from which XFree86 is derived). While there are no known reports of real-world malicious exploits of any of these problems, it is nevertheless suggested that you upgrade your XFree86 packages immediately. The scope of this advisory is XFree86 3.3.6 only, since that is the version released with Debian GNU/Linux 2.2 ("potato"); Debian packages of XFree86 4.0 and later have not been released as part of a Debian distribution. Several people are responsible for authoring the fixes to these problems, including Aaron Campbell, Paulo Cesar Pereira de Andrade, Keith Packard, David Dawes, Matthieu Herrb, Trevor Johnson, Colin Phipps, and Branden Robinson. - - The X servers are vulnerable to a denial-of-service attack during XC-SECURITY protocol negotiation. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - X clients based on Xlib (which is most of them) are subject to potential buffer overflows in the _XReply() and _XAsyncReply() functions if they connect to a maliciously-coded X server that places bogus data in its X protocol replies. NOTE: This is only an effective attack against X clients running with elevated privileges (setuid or setgid programs), and offers potential access only to the elevated privilege. For instance, the most common setuid X client is probably xterm. On many Unix systems, xterm is setuid root; in Debian 2.2, xterm is only setgid utmp, which means that an effective exploit is limited to corruption of the lastlog, utmp, and wtmp files -- *not* general root access. Also note that the attacker must already have sufficient privileges to start such an X client and successfully connect to the X server. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - There is a buffer overflow (not stack-based) in xdm's XDMCP code. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - There is a one-byte overflow in Xtrans.c. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - Xtranssock.c is also subject to buffer overflow problems. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - There is a buffer overflow with the -xkbmap X server flag. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - The MultiSrc widget in the Athena widget library handle temporary files insecurely. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - The imake program handles temporary files insecurely when executing install rules. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - The ICE library is subject to buffer overflow attacks. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - The xauth program handles temporary files insecurely. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - The XauLock() function in the Xau library handles temporary files insecurely. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 - - The gccmakedep and makedepend programs handle temporary files insecurely. Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2 All of the above issues are resolved by this security release. There are several other XFree86 security issues commonly discussed in conjunction with the above, to which an up-to-date Debian 2.2 system is *NOT* vulnerable: - - There are 4 distinct problems with Xlib's XOpenDisplay() function in which a maliciously coded X server could cause a denial-of-service attack or buffer overflow. As before, this is only an effective attack against X clients running with elevated privileges, and the attacker must already have sufficient privileges to start such an X client and successfully connect to the X server. Debian 2.2 and 2.2r1 are only vulnerable to one of these problems, because we applied patches to XFree86 3.3.6 to correct the other three. An additional patch applied for Debian 2.2r2 corrected the fourth. Vulnerable: Debian 2.2, Debian 2.2r1 - - The AsciiSrc widget in the Athena widget library handles temporary files insecurely. Debian 2.2r2 is not vulnerable to this problem because we applied a patch to correct it. Vulnerable: Debian 2.2, Debian 2.2r1 - - The imake program uses mktemp() instead of mkstemp(). This problem does not exist in XFree86 3.3.6, and therefore no release of Debian 2.2 is affected. These problems have been fixed in version 3.3.6-11potato32 and we recommand that you upgrade your X packages immediately. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. Debian GNU/Linux 2.2 alias potato - --------------------------------- Potato was released for alpha, arm, i386, m68k, powerpc and sparc. At this moment m68k packages are not available yet. Once they become available they will be announced on security.debian.org. Source archives: http://security.debian.org/dists/stable/updates/main/source/xfree86-1_3.3.6-11potato32.diff.gz MD5 checksum: 69cc55bd586d711c23c64e86f4a0a39a http://security.debian.org/dists/stable/updates/main/source/xfree86-1_3.3.6-11potato32.dsc MD5 checksum: 1865df3421c2f9f41d08b9848c5c866a http://security.debian.org/dists/stable/updates/main/source/xfree86-1_3.3.6.orig.tar.gz MD5 checksum: c4669bc60748021d9432e709286f6e4f Architecture indendent archives: http://security.debian.org/dists/stable/updates/main/binary-all/rstart_3.3.6-11potato32_all.deb MD5 checksum: c8b22fe902e1aa8a7a060e6583006687 http://security.debian.org/dists/stable/updates/main/binary-all/xbase_3.3.6-11potato32_all.deb MD5 checksum: 000d8ff1f045fb672011f6be512fa70a http://security.debian.org/dists/stable/updates/main/binary-all/xfree86-common_3.3.6-11potato32_all.deb MD5 checksum: ae0366e2ccfd3b67604639eb4a937a55 Alpha architecture: http://security.debian.org/dists/stable/updates/main/binary-alpha/rstartd_3.3.6-11potato32_alpha.deb MD5 checksum: 7016eb78b364e47dd060c51e7b068a47 http://security.debian.org/dists/stable/updates/main/binary-alpha/twm_3.3.6-11potato32_alpha.deb MD5 checksum: 6c7a7db332fc0bc1e6015c6f48a07354 http://security.debian.org/dists/stable/updates/main/binary-alpha/xbase-clients_3.3.6-11potato32_alpha.deb MD5 checksum: 133aaf41be70205abed442076afef7c4 http://security.debian.org/dists/stable/updates/main/binary-alpha/xdm_3.3.6-11potato32_alpha.deb MD5 checksum: 6b832ec44b17f0736d607d1a07fec93b http://security.debian.org/dists/stable/updates/main/binary-alpha/xext_3.3.6-11potato32_alpha.deb MD5 checksum: f83f3ee576eee40736810065c2981606 http://security.debian.org/dists/stable/updates/main/binary-alpha/xf86setup_3.3.6-11potato32_alpha.deb MD5 checksum: 13d82d3fa7b0fc08f1a8e121c7be5ae1 http://security.debian.org/dists/stable/updates/main/binary-alpha/xfs_3.3.6-11potato32_alpha.deb MD5 checksum: fe9b269fe871f79f32ec5ed136341220 http://security.debian.org/dists/stable/updates/main/binary-alpha/xlib6g-dev_3.3.6-11potato32_alpha.deb MD5 checksum: d1c7bc79b308c640806d004450ee681f http://security.debian.org/dists/stable/updates/main/binary-alpha/xlib6g-static_3.3.6-11potato32_alpha.deb MD5 checksum: 1f610de0a57488210c863becde75c3b9 http://security.debian.org/dists/stable/updates/main/binary-alpha/xlib6g_3.3.6-11potato32_alpha.deb MD5 checksum: 8f966a797732527914e0c69c9ddccd2e http://security.debian.org/dists/stable/updates/main/binary-alpha/xmh_3.3.6-11potato32_alpha.deb MD5 checksum: 90791ebb652da5e8633e3f22173ee3ee http://security.debian.org/dists/stable/updates/main/binary-alpha/xnest_3.3.6-11potato32_alpha.deb MD5 checksum: 513b94c445752986a7af3cb2dbee69ec http://security.debian.org/dists/stable/updates/main/binary-alpha/xproxy_3.3.6-11potato32_alpha.deb MD5 checksum: c8149f37106daac11e3721ff189429c4 http://security.debian.org/dists/stable/updates/main/binary-alpha/xprt_3.3.6-11potato32_alpha.deb MD5 checksum: 7cba0fd69aa39934f1aa855103d5ab32 http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-3dlabs_3.3.6-11potato32_alpha.deb MD5 checksum: 9520a673ce7cb87eb0a84752d850dca3 http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-common_3.3.6-11potato32_alpha.deb MD5 checksum: 4faba513d9a29061378756ad491380b1 http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-fbdev_3.3.6-11potato32_alpha.deb MD5 checksum: 554faa5df6a7e7752bb41dbafaa13683 http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-i128_3.3.6-11potato32_alpha.deb MD5 checksum: b3c56c3140475ecd6f1f1ea90917731f http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-mach64_3.3.6-11potato32_alpha.deb MD5 checksum: ad5474c1b98263db4984433d1b2fe6cb http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-mono_3.3.6-11potato32_alpha.deb MD5 checksum: 3e3209f18e8fe3133976fbd34d10854a http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-p9000_3.3.6-11potato32_alpha.deb MD5 checksum: d79c01d56e54457e10c0db1e252abb11 http://security.debian.org/dists/stable/updates/main/binary-alpha/xserver-s3_3.3.6-11potato3...
oursedoux