Bug 11845 - xbl is setgid root and has numerous buffer overflows
Summary: xbl is setgid root and has numerous buffer overflows
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Raw Hide
Classification: Retired
Component: xbl
Version: 1.0
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Ngo Than
QA Contact:
URL:
Whiteboard:
Keywords: Security
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-06-02 05:42 UTC by SB
Modified: 2008-05-01 15:37 UTC (History)
0 users

(edit)
Clone Of:
(edit)
Last Closed: 2000-06-02 05:42:29 UTC


Attachments (Terms of Use)

Description SB 2000-06-02 05:42:27 UTC
Dunno if it was inentional or not but xbl package currently in rawhide has 
xbl running sgid root, i.e.:
[root@king may26]# ls -al /usr/X11R6/bin/xbl
-rwxr-sr-x    1 root     root       108388 May 21 07:44 /usr/X11R6/bin/xbl

This is VERY unsafe because xbl has numerous unchecked buffers, for example 
the XBLOPTIONS environmental variable is appended to a fixed size buffer 
using strcat and no bounds checking resulting in elevated privilages.  
executing xbl -display with a large display name causes xbl to segfault 
probable overflow there.  xbl -font and -bigfont both segfault with large 
buffers and are potentially exploitable.  These are just some I noticed 
after finding the initial problem, and I'm pretty sure there are more.  I 
know this program was not setgid root in RedHat Linux 5.2, and IMHO it is 
unsafe to have it sgid root in its present condition.

-Stan Bubrouski

Comment 1 Ngo Than 2000-06-02 12:23:33 UTC
thank for your report. i have fixed this problem.



Note You need to log in before you can comment on or make changes to this bug.