-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1997.34: Vulnerabilities in XFree86 3.3

Original report date:	06-Aug-1997
RPM build date:		19-Dec-1997
Advisory issue date:	24-Dec-1997

Topic: Vulnerabilities in the XFree86 3.3 servers


I. Problem Descriptions

	(This security advisory covers three problems that are un-related
	except that they are both addressed in the same XFree86 update
	described in this advisory.)
	
	1) The X servers in the /usr/X11R6/bin directory can be used to
	read the first space delimited word of any file, regardless of
	access permissions.  The servers read the config files with root
	permissions, and if a user specifies an alternate file with the
	'-config' option, the first word of this file is displayed as
	part of an error message.

	2) The /tmp/.X11-unix directory is world writable.  Therefore,
	users can rename the X0 UNIX domain socket and replace it with
	a invalid one.

	3) XFree86, as any X-server, uses TCP ports 6000 and above
	to listen to, waiting for incoming connections. Any user can
	choose their display number simply by starting "X :any_display".
	The X server automatically chooses its port by adding the display
	number to 6000. But as the ports are 16-bits coded, port 65536
	equals 0, so displays 59536 to 65535 generate listening sockets
	on ports 0 to 5999.  And as the X-server runs SUID root, any user
	can use it to block known ports before a daemon starts using it.


II. Impacts

	1) An unprivileged user can view the first space delimited
	word of any file on the system.  For example, the first line of
	/etc/shadow, which an unprivileged user should not be able to
	view, often contains the encrypted root password.  A work-around
	for this problem is to move a less privileged user's /etc/shadow
	entry to the first line.

	2) An unprivileged user can break X, or they can modify the X0 Unix
	domain socket in such a way as to snoop on an X application's
	protocol exchange with the server.  In particular, key strokes
	can be intercepted, allowing the user to read everything that is
	typed including sensitive data.

	3) Because the X-server runs SUID root, any user can use it to block
	known ports before a daemon starts using it.

	To determine if you are vulnerable, type:

		rpm -qa | grep XFree86-

	If the server(s) shown is a version earlier than 3.3.1-3, you
	need to upgrade.


III. Solution
	
	Upgrade to the XFree86-[server]-3.3.1-3 packages.

	They can be found on Caldera's ftp site at:

		ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/RPMS/

	The corresponding source code can be found at:

		ftp://ftp.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/

	The MD5 checksums (from the "md5sum" command) for these
	packages are:
	
	07710ecc693c519343f77fe61c542ba5  XFree86-8514-3.3.1-3.i386.rpm
	e30b1b9d5b549b9ee85b9ac3f9810ed7  XFree86-AGX-3.3.1-3.i386.rpm
	05da649d3f0c6e70db41c4ac596403e6  XFree86-I128-3.3.1-3.i386.rpm
	5d3b630acb6f3d78954decbc1b183ecb  XFree86-Mach32-3.3.1-3.i386.rpm
	e2255ccd3b23d2884f3da2ca543b885e  XFree86-Mach64-3.3.1-3.i386.rpm
	5cc6bbe46dc7836e6be0879cbc347f5f  XFree86-Mach8-3.3.1-3.i386.rpm
	91e3d6962683889c2acd351a345fd719  XFree86-Mono-3.3.1-3.i386.rpm
	5e77fe20f39994ea3872f008e42e5517  XFree86-P9000-3.3.1-3.i386.rpm
	b6319402b02efbf257a9451602c8ba84  XFree86-S3-3.3.1-3.i386.rpm
	bc6aee85e80db61d3f7edb183cd90f77  XFree86-S3V-3.3.1-3.i386.rpm
	29f8f9b26c6a3590715856645bb24b48  XFree86-SVGA-3.3.1-3.i386.rpm
	14e539c4bbb659fc7e7f35d499bc3401  XFree86-VGA16-3.3.1-3.i386.rpm
	3257dd1ca46312ebb81409b949516d1d  XFree86-W32-3.3.1-3.i386.rpm
	4f52c74a7f959ad4c7741fe9c77ffe52  XFree86-Xnest-3.3.1-3.i386.rpm
	230c41b27ed7347bf82c35ebfbb74c67  XFree86-Xprt-3.3.1-3.i386.rpm
	5fee0ebf4cebb04022e6a0825b7285e1  XFree86-Xvfb-3.3.1-3.i386.rpm
	92f8642b31e2df1e8a7a9da067fb0cf3  XFree86-server-3.3.1-3.i386.rpm
	9f0777319b7bfd47ea9944cfe0aff2c6  XFree86-setup-3.3.1-3.i386.rpm

	625405e598ccddc6def48e1fc1e81629  XFree86-server-3.3.1-3.src.rpm
	
	To upgrade, it is assumed that you have already upgraded to the
	XFree86-[server]-3.3.1-2 packages as discussed in Caldera
	Security Advisory SA-1997.15 - (September 9, 1997 Vulnerability
	in XFree86 3.2)
	
	Because of item #1 in Description and Impact discussed above,
	you will need to upgrade _all_ of the X servers installed on your
	system, not just the server currently in use.  To determine
	which servers are present, type "ls /usr/X11R6/bin/XF86_*".
	This should list the binary files for all of the X servers
	installed on your system in the form XF86_[server], where [server]
	is any of all of: { 8514, AGX, I128, Mach32, Mach64, Mach8, Mono,
	P9000, S3, S3V, SVGA, VGA16, W32 }.

	1. Upgrade all of the X servers in the following manner:

		rpm -U XFree86-[server]-3.3.1-3.i386.rpm

	Repeat the command above for all servers found with the

		"ls /usr/X11R6/bin/XF86_*" command.

	2. Upgrade the following packages:

		rpm -U XFree86-Xnest-3.3.1-3.i386.rpm
		rpm -U XFree86-Xprt-3.3.1-3.i386.rpm
		rpm -U XFree86-Xvfb-3.3.1-3.i386.rpm
		rpm -U XFree86-server-3.3.1-3.i386.rpm
		rpm -U XFree86-setup-3.3.1-3.i386.rpm


IV. References / Credits

	From:		dube0866@eurobretagne.fr (Nicolas Dubee)
	To:		XFree86@XFree86.Org
	Subject:	[XFree86(TM) Bug Report] Security hole in XFree servers
	Date:		Sun, 7 Sep 1997 19:48:11 -0400 (EDT)
	Message-Id:	199709072348.TAA29123@public.XFree86.Org

	From:		(shegget) root@SHEGG.RH1.IIT.EDU
	To:		BUGTRAQ@NETSPACE.ORG
	Subject:	XFree86 insecurity
	Date:		Fri, 21 Nov 1997 18:35:36 +0000
	Message-ID:  Pine.LNX.3.96.971121183345.723A-100000@shegg.rh1.iit.edu

	From:		(Willy TARREAU) tarreau@AEMIAIF.LIP6.FR
	To:		BUGTRAQ@NETSPACE.ORG
	Subject:	XFREE86 can block reserved ports
	Date:		Wed, 6 Aug 1997 10:14:30 +0200
	Message-ID:	199708060814.KAA00775@aemiaif.lip6.fr

	From:		(Carlo Wood) carlo@RUNAWAY.XS4ALL.NL
	To:		BUGTRAQ@NETSPACE.ORG
	Subject:	X Security problem (?)
	Date:		Fri, 14 Nov 1997 02:13:22 +0100
	Message-ID:	199711140113.CAA09289@jolan.xs4all.nl

	From:		(CERT(sm) Coordination Center) cert@cert.org
	To:		(Caldera Security) security@caldera.com
	Subject:	XF86 servers security hole (VU#16699) (caldera)
	Date:		Fri, 10 Oct 1997 12:03:22 -0400 (EDT)
	Message-Id:	199710101603.MAA14448@yobbo.cert.org

	This security fix closes Caldera's internal Problem Reports 823, 885,
	1008, 1104, 1274.

	This and other Caldera security resources are located at:

		http://www.caldera.com/tech-ref/security/


V. PGP Signature

	This message was signed with the PGP key for security@caldera.com.

	This key can be obtained from:
		ftp://ftp.caldera.com/pub/pgp-keys/

	Or on an OpenLinux CDROM under:
		/OpenLinux/pgp-keys/

	$Id: SA-1997.34,v 1.2 1997/12/24 19:13:19 ron Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNKFe8en+9R4958LpAQEpCAP/bW0/HWMpB+eFTO24sQwcEwnVSrBMPOu2
/zUanIXPjcWhCMS72mXK8aGjm2ZMr9SVUDwRNu61f7OByhH0viAN5pvqg0aHrHGK
WeGx6wlXgG/URcqx+h+Dh6Ifnd7DzibbEBhFCIuW8InmCRoplc69iBiZEAFMrpJc
uGsVax7IZhw=
=dO/g
-----END PGP SIGNATURE-----