Return-Path: owner-bugtraq@SECURITYFOCUS.COM
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.BSI.4.21.0006040640510.21560-100000@blues.jpj.net>
Date:         Sun, 4 Jun 2000 06:49:51 -0400
Reply-To: Trevor Johnson <trevor@JPJ.NET>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: Trevor Johnson <trevor@JPJ.NET>
Subject:      Re: XFree86 server overflow
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.LNX.4.10.10004161835150.863-100000@localhost>

On Sun, 16 Apr 2000, Michal Zalewski <lcamtuf@TPI.PL> wrote:

> XFree86 3.3.6 (and probably 4.0.0 as well ;) - by running X server (no
> matter it's setuid, or called from setuid Xwrapper - works in both cases,
> seems to me Xwrapper in default RH 6.x distro is rather dumb ;) with
> -xkbmap parameter and over 2100 of 'A's (or shellcode, again, it's rather
> trivial to exploit :), you'll get beautiful overflow with root privledges
> in main (Xserver) process...

This little patch fixed XFree86 4.0 for me, compiled under FreeBSD
4.0-STABLE from the ports collection.  I sent it to fixes@xfree86.org on
Friday and it's indexed as A.91.

--- programs/Xserver/xkb/xkbInit.c.orig	Mon Oct  5 05:02:55 1998
+++ programs/Xserver/xkb/xkbInit.c	Tue May 23 16:52:19 2000
@@ -910,7 +910,8 @@
 	return 1;
     }
     else if (strncmp(argv[i], "-xkbmap", 7) == 0) {
-	if(++i < argc) {
+	i++;
+	if ((i < argc) && (strlen(argv[i]) < PATH_MAX)) {
 	    XkbInitialMap= argv[i];
 	    return 2;
 	}

A few boring details are at http://jpj.net/~trevor/xfree.html .
--
Trevor Johnson
http://jpj.net/~trevor/gpgkey.txt