dcsimg
Linux Today: Linux News On Internet Time.




More on LinuxToday


FreeBSD Ports Security Advisory: FreeBSD-SA-00:27.XFree86-4

Jul 06, 2000, 19:27 (0 Talkback[s])

WEBINAR:
On-Demand

Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers


Date: Wed, 5 Jul 2000 16:07:21 -0700
From: FreeBSD Security Advisories security-advisories@freebsd.org
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:27.XFree86-4

-----BEGIN PGP SIGNED MESSAGE-----


FreeBSD-SA-00:27                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          XFree86-4.0 port contains local root overflow

Category:       ports
Module:         Xfree86-4
Announced:      2000-07-05
Credits:        Michal Zalewski 
Affects:        Ports collection.
Corrected:      2000-06-09
Vendor status:  Vendor eventually released patch
FreeBSD only:   NO

I. Background
XFree86 4.0 is a development version of the popular XFree86 X Windows system.
II. Problem Description
XFree86 4.0 contains a local root vulnerability in the XFree86 server binary, due to incorrect bounds checking of command-line arguments.
The server binary is setuid root, in contrast to previous versions which had a small setuid wrapper which performed (among other things) argument sanitizing.
The XFree86-4 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3400 third-party applications in a ready-to-install format. The ports collection shipped with FreeBSD 4.0 contains this problem since it was discovered after the release, but it was fixed in time for FreeBSD 3.5.
FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports.
III. Impact
Unprivileged local users can obtain root access.
If you have not chosen to install the XFree86-4 port/package, then your system is not vulnerable to this problem.
IV. Workaround
Deinstall the XFree86-4 port/package, if you you have installed it, or limit the execution file permissions on the /usr/X11R6/bin/XFree86 binary so that only members of a trusted group may run the binary.
V. Solution
At this time, we do not recommend using XFree86 4.0 on multi-user systems with untrusted users, because of the lack of security in the server binary. The current "stable" version, XFree86 3.3.6, is also available in FreeBSD ports.
One of the following:
1) Upgrade your entire ports collection and rebuild the XFree86-4 port.
2) Deinstall the old package and install a new package dated after the correction date, obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.tar.gz
An updated version of XFree86, version 4.0.1, has just been released, which is believed to also fix the problems detailed in this advisory, however the X server is still installed setuid root and so the above warning against installation on multi-user machines still applies. The packages will be available at the following locations in the next few days:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.1.tar.gz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/x11/XFree86-4.0.1.tar.gz
3) download a new port skeleton for the XFree86-4 port from:
http://www.freebsd.org/ports/
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from:
ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOWGrplUuHi5z0oilAQFDjgP9E3l6VG7ic+F0HMDsSDGbsYrIFM3hvBDJ
hu22Vu/F18PyeOVrgZY4ljE/BvdSy4bJMJSDJsrP4jYicse7ArwvSLEJOjoIuPoK
ErUCz34UgNAWs+zszFD0V5xAuWH3Oyii4qamqDnSaurYl6oKp5tPNx2vSrA3UDxM
moK703Mpfak=
=nu3f
-----END PGP SIGNATURE-----