See: http://www.securityfocus.com/vdb/bottom.html?vid=1113 From the discussion there: A buffer overflow exists in in the -xbdmap parameter to the XFree86 X Server. By passing over 2100 characters, it is possible to cause the X server to crash. According to the author, it is vulnerable to a more complex buffer overrun attack. The X server, at this stage, still possesses root privileges, and as such any code executed would be with root permissions. The discoverer of this vulnerability notes that all shell code passed to the overrun (which lies in an unchecked strcpy()) must be alphanumeric. Non-alphanumeric characters are, at some point, replaced with a '_'. However, due to the complex nature of the XServer, the discoverer maintains that in order to complete this overflow, it may merely be necessary to alter a pointer to cause code placed elsewhere, perhaps via another parameter, to be executed.
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-04-15&msg=Pine.LNX.4.21.0004171929410.7274-100000@jupiter.sakowski.eu.org and my own experiments seem to indicate that Xwrapper properly disallows parameters that are too log. Would be nice to have official confirmation from you folks though.
As far as we can tell, it's only exploitable if you're running as root, which tends to defeat the point. Also, the 'kernel oops' mentioned is in fact a register dump from the segfaulting X server...
thanks.
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/ad2fc3549027be2da248d59aa499bfcf2a1ec542 Merge pull request #11349 from bfallonf/10876_rampnode Issue 10876 Fix ramp node config file setting