On Thu, 5 Sep 2002, Branden Robinson wrote: >Date: Thu, 5 Sep 2002 11:44:54 -0500 >From: Branden Robinson <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Cc: [email protected] >Content-Type: multipart/signed; micalg=pgp-sha1; > protocol="application/pgp-signature"; boundary="u19xsR7broAOK+6q" >Subject: Debian NOT vulnerable to recently-announced Xlib security flaw > >Greetings, friendly security folks. > >I've put some info up on the X Strike Force page about the recently >announced Xlib flaw in XFree86 4.2.0. > >Please feel free to refer any panicked inquiries to >http://people.debian.org/~branden/ > >I'm also happy to update my page with more information as it comes in. > >At first glance I'm not sure how to exploit this bug, and David Dawes >didn't come right out and explain, but my initial guess is that you have >to code a malicious Xlib internationalization module, put it in the >right place, and wait for a privileged X client to execute.
That's basically the crux of it. A user can set XLOCALEDIR to point to an arbitrary location, and cause arbitrary i18n modules to be loaded. If the X client is SUID/SGID, then priveledge elevation can be obtained and exploited via a custom .so module. Most modern Linux distributions ship without any SUID/SGID apps linked to Xlib, so the impact is much smaller than it is in some other OS's. 3rd party apps however added onto a default distro install could provide problems, so any distributions who have officially shipped 4.2.0 in the past, probably should ship a security erratum even if the default installation is secure. Of course as you said before, Debian hasn't shipped 4.2.0 officially, so all Debian systems are safe unless a user is using experimental builds of 4.2.0 or homebrew 4.2.0. Also note to users, is that this bug is not remotely exploitable, just locally exploitable. So if your system is single user, or not mission critical, then the security problem is probably a non-issue. Hope this helps. TTYL -- Mike A. Harris ftp://people.redhat.com/mharris OS Systems Engineer XFree86 maintainer Red Hat Inc.
