Vulnerability Assessment & Network Security Forums

If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important. If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery.

Home >> Browse Vulnerability Assessment Database >> Debian Local Security Checks >> [DSA030] DSA-030-2 xfree86

Vulnerability Assessment Details

[DSA030] DSA-030-2 xfree86

Vulnerability Assessment Summary
DSA-030-2 xfree86

Detailed Explanation for this Vulnerability Assessment
Chris Evans, Joseph S. Myers, Michal Zalewski, Alan Cox,
and others have noted a number of problems in several components of the X
Window System sample implementation (from which XFree86 is derived). While
there are no known reports of real-world malicious exploits of any of these
problems, it is nevertheless suggested that you upgrade your XFree86 packages
immediately.

The scope of this advisory is XFree86 3.3.6 only, since that is the version
released with Debian GNU/Linux 2.2 ("potato")
Debian packages of XFree86 4.0
and later have not been released as part of a Debian distribution.

Several people are responsible for authoring the fixes to these problems,
including Aaron Campbell, Paulo Cesar Pereira de Andrade, Keith Packard, David
Dawes, Matthieu Herrb, Trevor Johnson, Colin Phipps, and Branden Robinson.

The X servers are vulnerable to a denial-of-service attack during
XC-SECURITY protocol negotiation.
X clients based on Xlib (which is most of them) are subject to potential
buffer overflows in the _XReply() and _XAsyncReply() functions if they connect
to a maliciously-coded X server that places bogus data in its X protocol
replies. NOTE: This is only an effective attack against X clients running
with elevated rights (setuid or setgid programs), and offers potential
access only to the elevated privilege. For instance, the most common setuid X
client is probably xterm. On many Unix systems, xterm is setuid root
in Debian
2.2, xterm is only setgid utmp, which means that an effective exploit is
limited to corruption of the lastlog, utmp, and wtmp files --
not general
root access. Also note that the attacker must already have sufficient
rights to start such an X client and successfully connect to the X server.
There is a buffer overflow (not stack-based) in xdm's XDMCP code.
There is a one-byte overflow in Xtrans.c.
Xtranssock.c is also subject to buffer overflow problems.
There is a buffer overflow with the -xkbmap X server flag.
The MultiSrc widget in the Athena widget library handle temporary files
insecurely.
The imake program handles temporary files insecurely when executing install
rules.
The ICE library is subject to buffer overflow attacks.
The xauth program handles temporary files insecurely.
The XauLock() function in the Xau library handles temporary files
insecurely.
The gccmakedep and makedepend programs handle temporary files insecurely.

All of the above issues are resolved by this security release.

There are several other XFree86 security issues commonly discussed in conjunction with the above, to which an up-to-date Debian 2.2 system is
NOT vulnerable:

There are 4 distinct problems with Xlib's XOpenDisplay() function in which
a maliciously coded X server could cause a denial-of-service attack or buffer
overflow. As before, this is only an effective attack against X clients running
with elevated rights, and the attacker must already have sufficient
rights to start such an X client and successfully connect to the X server.
Debian 2.2 and 2.2r1 are only vulnerable to one of these problems, because we
ap
[...]

Solution : http://www.debian.org/security/2001/dsa-030
Network Security Threat Level: High

Networks Security ID: 1430, 2924, 2925

Vulnerability Assessment Copyright: This script is (C) 2005 Michel Arboi

Cables, Connectors