Bug 10876

Summary: XFree86 3.3.x Buffer Overflow Vulnerability
Product: [Retired] Red Hat Linux Reporter: Matthew Miller <mattdm>
Component: XFree86Assignee: Preston Brown <pbrown>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.securityfocus.com/vdb/bottom.html?vid=1113
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-04-18 15:51:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Miller 2000-04-17 18:36:07 UTC 
See: http://www.securityfocus.com/vdb/bottom.html?vid=1113

From the discussion there:
A buffer overflow exists in in the -xbdmap parameter to the XFree86 X
Server. By passing over 2100 characters, it is possible to cause the X
server to crash. According to the author, it is vulnerable to a more
complex buffer overrun attack. The X server, at this stage, still possesses
root privileges, and as such any code executed would be with root
permissions.

The discoverer of this vulnerability notes that all shell code passed to
the overrun (which lies in an unchecked strcpy()) must be alphanumeric.
Non-alphanumeric characters are, at some point, replaced with a '_'.
However, due to the complex nature of the XServer, the discoverer
maintains that in order to complete this overflow, it may merely be
necessary to alter a pointer to cause code placed elsewhere, perhaps via
another parameter, to be executed.
Comment 1 Matthew Miller 2000-04-18 14:44:59 UTC 
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=Pine.LNX.4.21.0004171929410.7274-100000@jupiter.sakowski.eu.org
and my own experiments seem to indicate that Xwrapper properly disallows
parameters that are too log. Would be nice to have official confirmation from
you folks though.
Comment 2 Bill Nottingham 2000-04-18 15:51:59 UTC 
As far as we can tell, it's only exploitable if you're running
as root, which tends to defeat the point.

Also, the 'kernel oops' mentioned is in fact a register dump
from the segfaulting X server...
Comment 3 Matthew Miller 2000-04-18 17:00:59 UTC 
thanks.
Comment 4 openshift-github-bot 2018-08-07 02:52:05 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/ad2fc3549027be2da248d59aa499bfcf2a1ec542
Merge pull request #11349 from bfallonf/10876_rampnode

Issue 10876 Fix ramp node config file setting