[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Vulnerability in the Xt library (fwd)
From:       Ollivier Robert <roberto () keltia ! freenix ! fr>
Date:       1996-08-25 22:05:16
[Download RAW message or body]

According to John Capo:
> Stefan `Sec` Zehl writes:
> > I can confirm this for Freebsd 2.2-Current, it gives me a euid=0 /bin/sh

> I can also.  The xterm cores on -stable though.

I sent a patch and a portable version of snprintf to both the X consortium
and Xfree86 yesterday. It will be in 3.1.2F.

If you have XFree sources on-line and are willing to recompile, apply the
following patch in xc/lib/Xt:

--- Error.c.old Sun Aug 25 14:57:28 1996
+++ Error.c     Sun Aug 25 14:47:14 1996
@@ -238,5 +238,5 @@
        (void) memmove((char*)par, (char*)params, i * sizeof(String) );
        bzero( &par[i], (10-i) * sizeof(String) );
-        (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
+        (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
                       par[4], par[5], par[6], par[7], par[8], par[9]);
        XtError(message);
@@ -263,5 +263,5 @@
        (void) memmove((char*)par, (char*)params, i * sizeof(String) );
        bzero ( &par[i], (10-i) * sizeof(String) );
-        (void) sprintf(message, buffer, par[0], par[1], par[2], par[3],
+        (void) snprintf(message, sizeof message, buffer, par[0], par[1], par[2], par[3],
                       par[4], par[5], par[6], par[7], par[8], par[9]);
        XtWarning(message);

--
Ollivier ROBERT    -=- The daemon is FREE! -=-    roberto@keltia.freenix.fr
FreeBSD keltia.freenix.fr 2.2-CURRENT #18: Sun Aug 18 19:16:52 MET DST 1996

[prev in list] [next in list] [prev in thread] [next in thread]