[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IRIX Xaw library exploitable buffer overflow


                Silicon Graphics Inc. Security Advisory

        Title:   Xaw library exploitable buffer overflow
        Title:   CERT VB-98.04
        Number:  19981003-01-PX
        Date:    October 15, 1998

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose.  In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.

- -----------------------
- --- Issue Specifics ---
- -----------------------

The Open Group (http://www.opengroup.org/) has reported via CERT that
an exploitable buffer overflow has been discovered in Xaw library which can
lead to a root compromise.

Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.
This issue will be corrected in future releases of IRIX.

- --------------
- --- Impact ---
- --------------

The Xaw library is installed by default on IRIX.

The Xaw Text widget must be used in a setuid root program in order to be

A local user account on the vulnerable system is required in order to exploit
the Xaw library.

The exploitable buffer overflow vulnerability can lead to a root compromise.

This Xaw library buffer overflow vulnerability was reported by CERT VB-98.04:

This Xaw vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.

- --------------------------
- --- Temporary Solution ---
- --------------------------

Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.

Only setuid root programs that use the Xaw Text widget are vulnerable
to this exploit.  There is no easy detection method for determining
if a program uses the Xaw Text widget.

If you are aware of a setuid root program that uses Xaw Text widget,
the steps below can be used to remove the vulnerability by removing
the setuid permissions of that program.

     1) Become the root user on the system.

                % /bin/su -

     2) Remove the setuid-root bit from the  binary.

                # chmod 0755 <setuid-root program that uses Xaw Text widget>

     3) Return to previous level.

                # exit

- ----------------
- --- Solution ---
- ----------------

   OS Version     Vulnerable?     Patch #      Other Actions
   ----------     -----------     -------      -------------

   IRIX 3.x          no
   IRIX 4.x          no
   IRIX 5.0.x        yes                       Note 1 & 2
   IRIX 5.1.x        yes                       Note 1 & 2
   IRIX 5.2          yes                       Note 1 & 2
   IRIX 5.3          yes            3162
   IRIX 6.0.x        yes                       Note 1 & 2
   IRIX 6.1          yes                       Note 1 & 2
   IRIX 6.2          yes            3163
   IRIX 6.3          yes            3164
   IRIX 6.4          yes            3165
   IRIX 6.5          yes            6.5.1      Note 3
   IRIX 6.5.1        no


     1) Upgrade to currently supported IRIX operating system.
     2) See "Temporary Solution" section.
     3) If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact your
        SGI Support Provider or download the IRIX 6.5.1 Maintenance Release
        Stream from http://support.sgi.com/

Patches are available via anonymous FTP and your service/support provider.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com ( Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.

For security and patch management reasons, ftp.sgi.com (mirror of sgigate) lags
behind and does not do a real-time update of ~ftp/security and ~ftp/patches

                 ##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 README.patch.3162
Algorithm #1 (sum -r):    62760 15 README.patch.3162
Algorithm #2 (sum):       52641 15 README.patch.3162
MD5 checksum:             B8F950CFFA015AEE80BDDF7D71941997

Filename:                 patchSG0003162
Algorithm #1 (sum -r):    29527 3 patchSG0003162
Algorithm #2 (sum):       16855 3 patchSG0003162
MD5 checksum:             483B3714A2DBCF085FB4430E60AFADB5

Filename:                 patchSG0003162.idb
Algorithm #1 (sum -r):    63388 4 patchSG0003162.idb
Algorithm #2 (sum):       4333 4 patchSG0003162.idb
MD5 checksum:             4E6E083D81345A44ECF9B81DF37936D0

Filename:                 patchSG0003162.x_dev_sw
Algorithm #1 (sum -r):    10817 1841 patchSG0003162.x_dev_sw
Algorithm #2 (sum):       53139 1841 patchSG0003162.x_dev_sw
MD5 checksum:             9496B25ECC3E96A8D61E2F61AB7CC444

Filename:                 patchSG0003162.x_eoe_sw
Algorithm #1 (sum -r):    39327 3232 patchSG0003162.x_eoe_sw
Algorithm #2 (sum):       13525 3232 patchSG0003162.x_eoe_sw
MD5 checksum:             D42A84EF3F076A58D33F19F52A819673

Filename:                 README.patch.3163
Algorithm #1 (sum -r):    23654 18 README.patch.3163
Algorithm #2 (sum):       25734 18 README.patch.3163
MD5 checksum:             756076D4B042CD3B821051B3146C2451

Filename:                 patchSG0003163
Algorithm #1 (sum -r):    32763 18 patchSG0003163
Algorithm #2 (sum):       46144 18 patchSG0003163
MD5 checksum:             9D8CF5AF49F89003D333E84E6D3300C6

Filename:                 patchSG0003163.idb
Algorithm #1 (sum -r):    16114 13 patchSG0003163.idb
Algorithm #2 (sum):       38740 13 patchSG0003163.idb
MD5 checksum:             757BF2A5882658173ECFF63F892C46A8

Filename:                 patchSG0003163.x_dev_sw
Algorithm #1 (sum -r):    26703 1871 patchSG0003163.x_dev_sw
Algorithm #2 (sum):       4990 1871 patchSG0003163.x_dev_sw
MD5 checksum:             4E89925EA5679B21BF8FC765CB79A8BB

Filename:                 patchSG0003163.x_dev_sw32
Algorithm #1 (sum -r):    28764 2195 patchSG0003163.x_dev_sw32
Algorithm #2 (sum):       46025 2195 patchSG0003163.x_dev_sw32
MD5 checksum:             DF71C67366E29B0F9CEF5B10A0EE3BD0

Filename:                 patchSG0003163.x_dev_sw64
Algorithm #1 (sum -r):    10893 2353 patchSG0003163.x_dev_sw64
Algorithm #2 (sum):       47599 2353 patchSG0003163.x_dev_sw64
MD5 checksum:             A307C6DB70BD37A31D1F9D4D858C4004

Filename:                 patchSG0003163.x_eoe_sw
Algorithm #1 (sum -r):    26523 4258 patchSG0003163.x_eoe_sw
Algorithm #2 (sum):       2943 4258 patchSG0003163.x_eoe_sw
MD5 checksum:             0CD66C2493A3667D1C68D2E2EE3DB187

Filename:                 patchSG0003163.x_eoe_sw32
Algorithm #1 (sum -r):    44792 3969 patchSG0003163.x_eoe_sw32
Algorithm #2 (sum):       30141 3969 patchSG0003163.x_eoe_sw32
MD5 checksum:             91B0F609DCF4B10814C7623669A1193D

Filename:                 patchSG0003163.x_eoe_sw64
Algorithm #1 (sum -r):    36394 4235 patchSG0003163.x_eoe_sw64
Algorithm #2 (sum):       15018 4235 patchSG0003163.x_eoe_sw64
MD5 checksum:             A751597CA40C154D855F1BA4CE111AE6

Filename:                 README.patch.3164
Algorithm #1 (sum -r):    04525 12 README.patch.3164
Algorithm #2 (sum):       63555 12 README.patch.3164
MD5 checksum:             F949A9F818F578F9209DD453A713EDE9

Filename:                 patchSG0003164
Algorithm #1 (sum -r):    45150 7 patchSG0003164
Algorithm #2 (sum):       23540 7 patchSG0003164
MD5 checksum:             5EB26E7B577ADD63AD2A7E31E8E818FB

Filename:                 patchSG0003164.idb
Algorithm #1 (sum -r):    62231 11 patchSG0003164.idb
Algorithm #2 (sum):       39482 11 patchSG0003164.idb
MD5 checksum:             608679BE467AD0FF7B0044F08CFBA5F7

Filename:                 patchSG0003164.x_dev_sw
Algorithm #1 (sum -r):    00282 1861 patchSG0003164.x_dev_sw
Algorithm #2 (sum):       51321 1861 patchSG0003164.x_dev_sw
MD5 checksum:             AA403DA6F7934786C8B1138B6419EDF9

Filename:                 patchSG0003164.x_dev_sw32
Algorithm #1 (sum -r):    40105 2188 patchSG0003164.x_dev_sw32
Algorithm #2 (sum):       43711 2188 patchSG0003164.x_dev_sw32
MD5 checksum:             20D889F2721D867301F1F49C7F0F9FDE

Filename:                 patchSG0003164.x_dev_sw64
Algorithm #1 (sum -r):    05154 2341 patchSG0003164.x_dev_sw64
Algorithm #2 (sum):       35806 2341 patchSG0003164.x_dev_sw64
MD5 checksum:             975B64D7781501F1428382C38EF8E33E

Filename:                 patchSG0003164.x_eoe_sw
Algorithm #1 (sum -r):    40472 3285 patchSG0003164.x_eoe_sw
Algorithm #2 (sum):       19365 3285 patchSG0003164.x_eoe_sw
MD5 checksum:             7130465ECBEA6961DE898BC6B03BC6EC

Filename:                 patchSG0003164.x_eoe_sw32
Algorithm #1 (sum -r):    24036 3552 patchSG0003164.x_eoe_sw32
Algorithm #2 (sum):       62299 3552 patchSG0003164.x_eoe_sw32
MD5 checksum:             CF227E33123A6B4C83B957BE7481E594

Filename:                 patchSG0003164.x_eoe_sw64
Algorithm #1 (sum -r):    01544 3763 patchSG0003164.x_eoe_sw64
Algorithm #2 (sum):       32019 3763 patchSG0003164.x_eoe_sw64
MD5 checksum:             33DAD3890A6EE445BABAA9299C6DE485

Filename:                 README.patch.3165
Algorithm #1 (sum -r):    05925 12 README.patch.3165
Algorithm #2 (sum):       9430 12 README.patch.3165
MD5 checksum:             F8F8C76CF0D6401153F34E606E000703

Filename:                 patchSG0003165
Algorithm #1 (sum -r):    40739 10 patchSG0003165
Algorithm #2 (sum):       64635 10 patchSG0003165
MD5 checksum:             E9F01F8B784EFB2360F96E1C111BC868

Filename:                 patchSG0003165.eoe_sw
Algorithm #1 (sum -r):    44998 7 patchSG0003165.eoe_sw
Algorithm #2 (sum):       42468 7 patchSG0003165.eoe_sw
MD5 checksum:             948C51F29D9B18C71211551F2A9E2786

Filename:                 patchSG0003165.idb
Algorithm #1 (sum -r):    08151 12 patchSG0003165.idb
Algorithm #2 (sum):       9229 12 patchSG0003165.idb
MD5 checksum:             C377B369F49EC7BE07B43C4B1A3AE7C8

Filename:                 patchSG0003165.x_dev_sw
Algorithm #1 (sum -r):    20931 5115 patchSG0003165.x_dev_sw
Algorithm #2 (sum):       57869 5115 patchSG0003165.x_dev_sw
MD5 checksum:             201472A518AD6573742D18E1B94EFD7B

Filename:                 patchSG0003165.x_dev_sw64
Algorithm #1 (sum -r):    15326 2378 patchSG0003165.x_dev_sw64
Algorithm #2 (sum):       5558 2378 patchSG0003165.x_dev_sw64
MD5 checksum:             885049D822B3B277576E2C4AB54B91C4

Filename:                 patchSG0003165.x_eoe_sw
Algorithm #1 (sum -r):    63988 7594 patchSG0003165.x_eoe_sw
Algorithm #2 (sum):       15222 7594 patchSG0003165.x_eoe_sw
MD5 checksum:             129346F08874CF9A56B6497BF4AA3B32

Filename:                 patchSG0003165.x_eoe_sw64
Algorithm #1 (sum -r):    25380 4118 patchSG0003165.x_eoe_sw64
Algorithm #2 (sum):       24205 4118 patchSG0003165.x_eoe_sw64
MD5 checksum:             34980EFCE4E39EBFEC55FA279E7F1957

- ------------------------
- --- Acknowledgments ---
- ------------------------

Silicon Graphics wishes to thank the CERT Coordination Center and the users
of the Internet Community at large for their assistance in this matter.

- -----------------------------------------------------------
- --- Silicon Graphics Inc. Security Information/Contacts ---
- -----------------------------------------------------------

If there are questions about this document, email can be sent to


Silicon Graphics provides security information and patches for
use by the entire SGI community.  This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (  Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/security/security.html.

For issues with the patches on the FTP sites, email can be sent to

For assistance obtaining or working with security patches, please
contact your SGI support provider.


Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/security/wiretap.html) or by sending email
to SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>

In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to.  The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.


Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/security/security.html.


For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A
support contract is not required for submitting a security report.

  This information is provided freely to all interested parties and may
  be redistributed provided that it is not altered in any way, Silicon
  Graphics is appropriately credited and the document retains and
  includes its valid PGP signature.

Version: 2.6.2