Date: Mon, 26 Aug 1996 06:42:31 +0200 From: roberto@keltia.freenix.fr (Ollivier Robert) To: security@freebsd.org Subject: Re: Vulnerability in the Xt library (fwd) Message-ID: <199608260442.GAA03303@keltia.freenix.fr> In-Reply-To: <199608260207.WAA11517@irbs.irbs.com>; from John Capo on Aug 25, 1996 22:07:49 -0400 References: <199608260207.WAA11517@irbs.irbs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
According to John Capo: > Stefan `Sec` Zehl writes: > > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh > I can also. The xterm cores on -stable though. I sent a patch and a portable version of snprintf to both the X consortium and Xfree86 yesterday. It will be in 3.1.2F. If you have XFree sources on-line and are willing to recompile, apply the following patch in xc/lib/Xt: --- Error.c.old Sun Aug 25 14:57:28 1996 +++ Error.c Sun Aug 25 14:47:14 1996 @@ -238,5 +238,5 @@ (void) memmove((char*)par, (char*)params, i * sizeof(String) ); bzero( &par[i], (10-i) * sizeof(String) ); - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3], + (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3], par[4], par[5], par[6], par[7], par[8], par[9]); XtError(message); @@ -263,5 +263,5 @@ (void) memmove((char*)par, (char*)params, i * sizeof(String) ); bzero ( &par[i], (10-i) * sizeof(String) ); - (void) sprintf(message, buffer, par[0], par[1], par[2], par[3], + (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3], par[4], par[5], par[6], par[7], par[8], par[9]); XtWarning(message); -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199608260442.GAA03303>