Erik Sj
Erik Sjölund discovered that programs linked against xview are vulnerable to a number of buffer overflows in the XView library. When the overflow is triggered in a program which is installed setuser root a malicious user could perhaps execute arbitrary code as privileged user. These commands will create a segmentation fault: $ ln -s /usr/X11R6/bin/xvmount /tmp/`perl -e 'print "A" x 200'` $ /tmp/`perl -e 'print "A" x 200'` -Wt The overflowed variable seems to be sufficiently far away from the stack frame, but I'm not totally sure that it is impossible to overwrite it as well. I'm attaching a proposed patch. Please let me know if you need coordination for this bug. This package is probably part of most other distributions as well.
Created attachment 48564 [details, diff] CAN-2005-0076.patch
My system lacks the /usr/X11R6/bin/xvmount but does have xview so I'm not sure if we are effected or not. Do you have the util?
n/m found it but it fails to even compile for me in the first place so can't test. pkg does not seem to be owned by any official herd or have a clear maintainer listed in a metadata.xml. The last ebuild seems to be initially provided by genstef. adding to CC: genstef please test but do not put this patch into CVS until a disclosure date is reached
I think we will just update the debin patch here as soon as they commit it, I suppose they also know about it? I think I am not the best man for testing it, I do not even use xview, so i remove myself from CC: I tagree that we should not disclose the details of this bug for now.
Not sure we should accept this one. If we don't have xvmount, or any other SUID root linked to xview, then we should drop this as INVALID.
We don't have xvmount (or I can't find it). Depending on xview we just have : media-sound/workman app-editors/jove (if USE=X) None of this is SUID root or SUID whatever. Closing this bug as INVALID, even if it should still be fixed when the Debian patch will be updated. Please reopen if you disagree.
*** Bug 81505 has been marked as a duplicate of this bug. ***
(re)opening since debian issued http://www.debian.org/security/2005/dsa-672 so a new patchset is available now Guess we should apply that, eventhough we are not directly affected
I actualy use xview all the time, i would not like to see this dead. I've been watching the debian patch and the it seems that most of it is about Alpha compatibility, so if i'm to try and solve this do you guys think we should use the debian patch or just the one here?
Created attachment 51380 [details, diff] xview-3.2-r1.ebuild.patch Well after looking at the ebuild it seems we already use the debian patches :) So here goes a patch to our ebuild, it simply changes the patchset. It builds ok and works on x86.
Humpback: please commit your fix incvs, as it seems you're the only one to use xview anyway :)
-r3 is in portage marked x86, there was a problem with -r2 that it would not build with recent versions of xorg. Credits must go to seemant for finding the new home for the package.
alpha, hppa: please test and mark stable. Will be closed without a GLSA since we don't ship SUID xview-powered apps.
Alpha needs som PIC love before it can be marked stable. Here's the part of emerge log with the errors, just in case anybody else wants to take a poke at this bug :) a - wmgr_menu.o a - wmgr_decor.o make[4]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c/lib/libxview/wmgr' rm -f libxview.so.3.2.4~ (cd ./xshared; alpha-unknown-linux-gnu-gcc -shared -Wl,-soname -Wl,`basename libxview.so.3.2.4 | sed 's/\(\.[0-9]\).*$/\1/'` -o libxview.so.3.2.4~ ?*.o -L/usr/X11R6/lib -lXext -lX11 -lutil -L../../libolgx -lolgx -lc) /usr/lib/gcc-lib/alpha-unknown-linux-gnu/3.3.2/../../../../alpha-unknown-linux-gnu/bin/ld: csr_change.o: gp-relative relocation against dynamic symbol ttysw_gray17_pr /usr/lib/gcc-lib/alpha-unknown-linux-gnu/3.3.2/../../../../alpha-unknown-linux-gnu/bin/ld: csr_change.o: gp-relative relocation against dynamic symbol ttysw_gray17_pr collect2: ld returned 1 exit status make[3]: *** [libxview.so.3.2.4] Error 1 make[3]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c/lib/libxview' make[2]: *** [all] Error 1 make[2]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c/lib' make[1]: *** [all] Error 1 make[1]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c' make: *** [World] Error 2
any progress on alpha yet?
Contacted kloeri -- he will try to get this one done soon.
kloeri any news on this one yet?
Finally gave in and -alpha'ed the xview ebuilds.
yeepee.
GMsoft and KillerFox haven't been able to get xview working on hppa. I propose that we'll remove the hppa keyword from all ebuilds until it works again.
No problem for me.
Removed from hppa.