Get the LinuxSecurity news you want faster with RSS
Powered By
OpenBSD 2.2: Buffer overrun problems in xterm
Posted by LinuxSecurity.com Team
As stated in CERT advisory VB-98.04, there are buffer overrun problems in xterm related to the input-Method, preeditType, and *Keymap resources. Additional buffer overruns exist in the Xaw library related to the inputMethod and preeditType resources.
The xterm(1) problem represents a security vulnerability for any platform where
xterm is installed setuid-root (as is the case for all OpenBSD platforms). The
Xaw problem represents a security vulnerability for any setuid-root program
that uses the Xaw library (including xterm). Patch1 from XFree86 3.3.2 corrects
these problems.
Apply by doing
cd /usr/src (or the directory containing X11)
patch -p0 < xterm-xaw.patch
And then to rebuild and install
cd X11/xc/lib/Xaw ; make && make install
cd X11/xc/programs/xterm ; make && make install
diff --exclude=CVS -u -r /cdrom/X11/xc/programs/xterm/Tekproc.c
X11/xc/programs/xterm/Tekproc.c
--- /cdrom/X11/xc/programs/xterm/Tekproc.c Fri Sep 5 05:17:06 1997
+++ X11/xc/programs/xterm/Tekproc.c Sun May 3 10:32:17 1998
@@ -74,6 +74,9 @@
#include
#include
#include
+
+#include "xterm.h"
+
#include "Tekparse.h"
#include "data.h"
#include "error.h"
@@ -1724,8 +1727,10 @@
#ifndef X_NOT_POSIX
+#ifndef linux
#define HAS_WAITPID
#endif
+#endif
#ifdef HAS_WAITPID
#include
@@ -1743,7 +1748,7 @@
int pid;
#ifndef HAS_WAITPID
int waited;
- int (*chldfunc)();
+ SIGNAL_T (*chldfunc) PROTO((int n));
chldfunc = signal(SIGCHLD, SIG_DFL);
#endif
diff --exclude=CVS -u -r /cdrom/X11/xc/programs/xterm/charproc.c
X11/xc/programs/xterm/charproc.c
--- /cdrom/X11/xc/programs/xterm/charproc.c Fri Sep 5 05:17:07 1997
+++ X11/xc/programs/xterm/charproc.c Sun May 3 10:32:18 1998
@@ -3774,7 +3774,6 @@
*s,
*ns,
*end,
- tmp[1024],
buf[32];
XIM xim = (XIM) NULL;
XIMStyles *xim_styles;
@@ -3789,17 +3788,18 @@
if ((p = XSetLocaleModifiers("@im=none")) != NULL && *p)
xim = XOpenIM(XtDisplay(term), NULL, NULL, NULL);
} else {
- strcpy(tmp, term->misc.input_method);
- for(ns=s=tmp; ns && *s;) {
+ for(ns=s=term->misc.input_method; ns && *s;) {
while (*s && isspace(*s)) s++;
if (!*s) break;
if ((ns = end = strchr(s, ',')) == 0)
end = s + strlen(s);
while (isspace(*end)) end--;
- *end = '\0';
strcpy(buf, "@im=");
- strcat(buf, s);
+ if (end - (s + (sizeof(buf) - 5)) > 0)
+ end = s + (sizeof(buf) - 5);
+ strncat(buf, s, end - s);
+
if ((p = XSetLocaleModifiers(buf)) != NULL && *p
&& (xim = XOpenIM(XtDisplay(term), NULL, NULL, NULL)) != NULL)
break;
@@ -3824,8 +3824,7 @@
}
found = False;
- strcpy(tmp, term->misc.preedit_type);
- for(s = tmp; s && !found;) {
+ for(s = term->misc.preedit_type; s && !found;) {
while (*s && isspace(*s)) s++;
if (!*s) break;
if ((ns = end = strchr(s, ',')) != 0)
@@ -3833,13 +3832,12 @@
else
end = s + strlen(s);
while (isspace(*end)) end--;
- *end = '\0';
- if (!strcmp(s, "OverTheSpot")) {
+ if (!strncmp(s, "OverTheSpot", end - s)) {
input_style = (XIMPreeditPosition | XIMStatusArea);
- } else if (!strcmp(s, "OffTheSpot")) {
+ } else if (!strncmp(s, "OffTheSpot", end - s)) {
input_style = (XIMPreeditArea | XIMStatusArea);
- } else if (!strcmp(s, "Root")) {
+ } else if (!strncmp(s, "Root", end - s)) {
input_style = (XIMPreeditNothing | XIMStatusNothing);
}
for (i = 0; (unsigned short)i < xim_styles->count_styles; i++)
@@ -4372,7 +4370,7 @@
XtOverrideTranslations(w, original);
return;
}
- (void) sprintf( mapName, "%sKeymap", params[0] );
+ (void) sprintf( mapName, "%.*sKeymap", (int)sizeof(mapName) - 10, params
[0] );
(void) strcpy( mapClass, mapName );
if (islower(mapClass[0])) mapClass[0] = toupper(mapClass[0]);
XtGetSubresources( w, (XtPointer)&keymap, mapName, mapClass,
@@ -4790,7 +4788,7 @@
* not be set before the widget's realized, so it's tested separately).
*/
if(screen->colorMode) {
- if (TextWindow(screen) != 0 && (cc != bg)) {
+ if (TextWindow(screen) != 0 && (cc != bg) && (cc != fg)) {
/* we might have a colored foreground/background later */
xgcv.font = screen->fnt_norm->fid;
mask = (GCForeground | GCBackground | GCFont);
diff --exclude=CVS -u -r /cdrom/X11/xc/programs/xterm/main.c
X11/xc/programs/xterm/main.c
--- /cdrom/X11/xc/programs/xterm/main.c Fri Sep 5 05:17:08 1997
+++ X11/xc/programs/xterm/main.c Sun May 3 10:32:18 1998
@@ -938,6 +938,12 @@
"default.",
NULL};
+static int abbrev (char *tst, char *cmp)
+{
+ size_t len = strlen(tst);
+ return ((len >= 2) && (!strncmp(tst, cmp, len)));
+}
+
static void Syntax (badOption)
char *badOption;
{
@@ -3467,7 +3473,7 @@
int i, n, ncap;
errstat err;
struct caplist *cl;
- char buf[64], numbuf[12];
+ char buf[64];
struct caplist *capvnew;
int ttythread();
int xwatchdogthread();
diff --exclude=CVS -u -r /cdrom/X11/xc/programs/xterm/misc.c
X11/xc/programs/xterm/misc.c
--- /cdrom/X11/xc/programs/xterm/misc.c Fri Sep 5 05:17:09 1997
+++ X11/xc/programs/xterm/misc.c Sun May 3 10:32:18 1998
@@ -48,13 +48,13 @@
#include
#include
+#include "xterm.h"
+
#include "VTparse.h"
#include "data.h"
#include "error.h"
#include "menu.h"
-#include "xterm.h"
-
#if XtSpecificationRelease < 6
#ifndef X_GETTIMEOFDAY
#define X_GETTIMEOFDAY(t) gettimeofday(t,(struct timezone *)0)
@@ -515,7 +515,9 @@
#if defined(ALLOWLOGGING) || defined(DEBUG)
#ifndef X_NOT_POSIX
+#ifndef linux
#define HAS_WAITPID
+#endif
#endif
/*
diff --exclude=CVS -u -r /cdrom/X11/xc/programs/xterm/os2main.c
X11/xc/programs/xterm/os2main.c
--- /cdrom/X11/xc/programs/xterm/os2main.c Fri Sep 5 05:17:09 1997
+++ X11/xc/programs/xterm/os2main.c Sun May 3 10:32:19 1998
@@ -471,6 +471,12 @@
"default.",
NULL};
+static int abbrev (char *tst, char *cmp)
+{
+ size_t len = strlen(tst);
+ return ((len >= 2) && (!strncmp(tst, cmp, len)));
+}
+
static void Syntax (badOption)
char *badOption;
{
diff --exclude=CVS -u -r /cdrom/X11/xc/lib/Xaw/XawIm.c X11/xc/lib/Xaw/XawIm.c
--- /cdrom/X11/xc/lib/Xaw/XawIm.c Fri Sep 5 04:59:50 1997
+++ X11/xc/lib/Xaw/XawIm.c Sun May 3 10:32:28 1998
@@ -53,6 +53,7 @@
in this Software without prior written authorization from the X Consortium.
*/
+/* $XFree86: xc/lib/Xaw/XawIm.c,v 1.1.1.4.2.1 1998/05/01 04:02:42 dawes Exp $
*/
#include
#include
@@ -452,7 +453,7 @@
} else {
for (i = 0; i < ve->im.im_list_num; i++) {
strcpy(modifiers, "@im=");
- strcat(modifiers, ve->im.im_list[i]);
+ strncat(modifiers, ve->im.im_list[i], sizeof(modifiers) - 5/*strlen
("@im=")*/);
if ((p = XSetLocaleModifiers(modifiers)) != NULL && *p &&
(xim = XOpenIM(XtDisplay(ve->parent), NULL, NULL, NULL)) !=
NULL)
break;
@@ -1354,7 +1355,7 @@
strcpy(s, p);
save_s = s;
- while(1) {
+ while(i < (sizeof(list) / sizeof(list[0]))) {
list[i] = s;
ss = index(s, ',');
if (!ss) {
@@ -1645,10 +1646,10 @@
if ((vw = SearchVendorShell(inwidg)) && (ve = GetExtPart(vw)) &&
ve->im.xim && (p = GetIcTableShared(inwidg, ve)) && p->xic) {
- return(XwcLookupString(p->xic, event, buffer_return, bytes_buffer,
+ return(XwcLookupString(p->xic, event, buffer_return,
bytes_buffer/sizeof(wchar_t),
keysym_return, status_return));
}
- ret = XLookupString( event, tmp_buf, 64, keysym_return,
+ ret = XLookupString( event, tmp_buf, sizeof(tmp_buf), keysym_return,
(XComposeStatus*) status_return );
for ( i = 0, tmp_p = tmp_buf, buf_p = buffer_return; i < ret; i++ ) {
*buf_p++ = _Xaw_atowc(*tmp_p++);
