OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: FreeBSD Security Advisories (security-advisoriesFreeBSD.org)
Date: Tue Jan 30 2001 - 03:09:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    =============================================================================
    FreeBSD-SA-01:07 Security Advisory
                                                                    FreeBSD, Inc.

    Topic: Multiple XFree86 3.3.6 vulnerabilities

    Category: ports
    Module: XFree86-3.3.6, XFree86-aoutlibs
    Announced: 2001-01-23
    Credits: Chris Evans <chrisferret.lmh.ox.ac.uk>
                    Michal Zalewski <lcamtuftpi.pl>
    Affects: Ports collection prior to the correction date.
    Corrected: 2000-10-24 (XFree86-3.3.6)
    Vendor status: Fixed in XFree86 4.0.1, no patches released by vendor.
    FreeBSD only: NO

    I. Background

    XFree86 is a popular X server. It exists in three versions in the
    FreeBSD ports collection: 3.3.6 and 4.0.2, as well as a.out libraries
    based on XFree86 3.3.3.

    II. Problem Description

    The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple
    vulnerabilities that may allow local or remote users to cause a denial
    of service attack against a vulnerable X server. Additionally, local
    users may be able to obtain elevated privileges under certain
    circumstances.

    X server DoS:
      Remote users can, by sending a malformed packet to port 6000 TCP,
      cause the victim's X server to freeze for several minutes. During
      the freeze, the mouse does not move and the screen does not update
      in any way. In addition, the keyboard is unresponsive, including
      console-switch and kill-server key combinations. Non-X processes,
      such as remote command-line logins and non-X applications, are
      unaffected by the freeze.

    Xlib holes:
      Due to various coding flaws in libX11, privileged (setuid/setgid)
      programs linked against libX11 may allow local users to obtain
      elevated privileges.

    libICE DoS:
      Due to inadequate bounds checking in libICE, a denial of service
      exists with any application using libICE to listen on a network port
      for network services.

    The XFree86-aoutlibs port contains the XFree86 libraries from the
    3.3.3 release of XFree86, in a.out format suitable for use with
    applications in the legacy a.out binaryformat, most notably being the
    FreeBSD native version of Netscape. It is unknown whether Netscape is
    vulnerable to the problems described in this advisory, but it believed
    that the only potential vulnerability is the libICE denial-of-service
    condition described above.

    The XFree86 and XFree86-aoutlibs ports are not installed by default
    (although XFree86 is available as an installation option in the
    FreeBSD installer), nor are they "part of FreeBSD" as such: they are
    part of the FreeBSD ports collection, which contains almost 4500
    third-party applications in a ready-to-install format. The ports
    collections shipped with FreeBSD 3.5.1 and 4.1.1 contain these problem
    since they were discovered after the releases, but the XFree86 problem
    was corrected prior to the release of FreeBSD 4.2. At the time of
    advisory release, the XFree86-aoutlibs port has not been corrected.

    FreeBSD makes no claim about the security of these third-party
    applications, although an effort is underway to provide a security
    audit of the most security-critical ports.

    III. Impact

    Local or remote users may cause a denial of service attack against an
    X server or certain X applications. Local users may obtain elevated
    privileges with certain X applications.

    If you have not chosen to install the XFree86 3.3.6 port/package or
    the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or
    later, then your system is not vulnerable to this problem.

    IV. Workaround

    Deinstall the XFree86-3.3.6 and XFree86-aoutlibs ports/packages, if
    you you have installed them.

    Note that any statically linked binaries which make use of the
    vulnerable XFree86 routines may still be vulnerable to the problems
    after deinstallation of the port/package. However due to the
    difficulty of developing a reliable scanning utility for such binaries
    no such utility is provided.

    V. Solution

    One of the following:

    1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6
    port.

    2) Deinstall the old package and install an XFree86-4.0.2 package
    obtained from:

    [i386]
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.2_5.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.2_5.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.2_5.tgz

    [alpha]
    Packages are not automatically generated for the alpha architecture at
    this time due to lack of build resources.

    NOTE: XFree86-3.3.6 packages are no longer made available, only the
    newer XFree86-4.0.2 packages.

    Note also that the XFree86-aoutlibs port has not yet been fixed: there
    is currently no solution to the problem other than removing the
    port/package and recompiling any dependent software to use ELF
    libraries, or switching to an ELF-based version of the software, if
    available (e.g. the BSD/OS or Linux versions of Netscape, as an
    alternative to the FreeBSD native version). The potential impact of
    the vulnerabilities to the local environment may be deemed not
    sufficiently great to warrant this approach, however.

    3) download a new port skeleton for the XFree86-3.3.6 port from:

    http://www.freebsd.org/ports/

    and use it to rebuild the port.

    4) Use the portcheckout utility to automate option (3) above. The
    portcheckout port is available in /usr/ports/devel/portcheckout or the
    package can be obtained from:

    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
    ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (FreeBSD)
    Comment: For info see http://www.gnupg.org

    iQCVAwUBOm3xpFUuHi5z0oilAQF+zQQAiwIQSv6MemATgo6v2/QwMjttGpbMxbh2
    s94CK+aAlbtRlsrBZl6DIWwVydc1C3k6EHnM+NHqwhfOq/yrwp7JDKwVUmvi+5Qx
    1UAY8QRu45OednLsyT2qUuNrowjMmkdB0EcsqQq2UvLtN2054m6AmpZk1t3TjGTr
    CCOFX30qIn0=
    =pI+q
    -----END PGP SIGNATURE-----

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message