Red Hat Bugzilla – Bug 11845
xbl is setgid root and has numerous buffer overflows
Last modified: 2008-05-01 11:37:55 EDT
Dunno if it was inentional or not but xbl package currently in rawhide has
xbl running sgid root, i.e.:
[root@king may26]# ls -al /usr/X11R6/bin/xbl
-rwxr-sr-x 1 root root 108388 May 21 07:44 /usr/X11R6/bin/xbl
This is VERY unsafe because xbl has numerous unchecked buffers, for example
the XBLOPTIONS environmental variable is appended to a fixed size buffer
using strcat and no bounds checking resulting in elevated privilages.
executing xbl -display with a large display name causes xbl to segfault
probable overflow there. xbl -font and -bigfont both segfault with large
buffers and are potentially exploitable. These are just some I noticed
after finding the initial problem, and I'm pretty sure there are more. I
know this program was not setgid root in RedHat Linux 5.2, and IMHO it is
unsafe to have it sgid root in its present condition.
thank for your report. i have fixed this problem.