From agent99@boytoy.csd.sgi.com Fri Oct 16 13:32:11 1998 From: SGI Security Coordinator To: agent99@sgi.com Date: Thu, 15 Oct 1998 21:26:33 GMT Subject: IRIX Xaw library exploitable buffer overflow -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Xaw library exploitable buffer overflow Title: CERT VB-98.04 Number: 19981003-01-PX Date: October 15, 1998 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall Silicon Graphics be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ - ----------------------- - --- Issue Specifics --- - ----------------------- The Open Group (http://www.opengroup.org/) has reported via CERT that an exploitable buffer overflow has been discovered in Xaw library which can lead to a root compromise. Silicon Graphics Inc. has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. This issue will be corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- The Xaw library is installed by default on IRIX. The Xaw Text widget must be used in a setuid root program in order to be vulnerable. A local user account on the vulnerable system is required in order to exploit the Xaw library. The exploitable buffer overflow vulnerability can lead to a root compromise. This Xaw library buffer overflow vulnerability was reported by CERT VB-98.04: http://www.cert.org/ftp/cert_bulletins/VB-98.04.xterm.Xaw This Xaw vulnerability has been publicly discussed in Usenet newsgroups and mailing lists. - -------------------------- - --- Temporary Solution --- - -------------------------- Although patches are available for this issue, it is realized that there may be situations where installing the patches immediately may not be possible. Only setuid root programs that use the Xaw Text widget are vulnerable to this exploit. There is no easy detection method for determining if a program uses the Xaw Text widget. If you are aware of a setuid root program that uses Xaw Text widget, the steps below can be used to remove the vulnerability by removing the setuid permissions of that program. 1) Become the root user on the system. % /bin/su - Password: # 2) Remove the setuid-root bit from the binary. # chmod 0755 3) Return to previous level. # exit % - ---------------- - --- Solution --- - ---------------- OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x no IRIX 4.x no IRIX 5.0.x yes Note 1 & 2 IRIX 5.1.x yes Note 1 & 2 IRIX 5.2 yes Note 1 & 2 IRIX 5.3 yes 3162 IRIX 6.0.x yes Note 1 & 2 IRIX 6.1 yes Note 1 & 2 IRIX 6.2 yes 3163 IRIX 6.3 yes 3164 IRIX 6.4 yes 3165 IRIX 6.5 yes 6.5.1 Note 3 IRIX 6.5.1 no NOTES 1) Upgrade to currently supported IRIX operating system. 2) See "Temporary Solution" section. 3) If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact your SGI Support Provider or download the IRIX 6.5.1 Maintenance Release Stream from http://support.sgi.com/ Patches are available via anonymous FTP and your service/support provider. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectively. For security and patch management reasons, ftp.sgi.com (mirror of sgigate) lags behind and does not do a real-time update of ~ftp/security and ~ftp/patches ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.3162 Algorithm #1 (sum -r): 62760 15 README.patch.3162 Algorithm #2 (sum): 52641 15 README.patch.3162 MD5 checksum: B8F950CFFA015AEE80BDDF7D71941997 Filename: patchSG0003162 Algorithm #1 (sum -r): 29527 3 patchSG0003162 Algorithm #2 (sum): 16855 3 patchSG0003162 MD5 checksum: 483B3714A2DBCF085FB4430E60AFADB5 Filename: patchSG0003162.idb Algorithm #1 (sum -r): 63388 4 patchSG0003162.idb Algorithm #2 (sum): 4333 4 patchSG0003162.idb MD5 checksum: 4E6E083D81345A44ECF9B81DF37936D0 Filename: patchSG0003162.x_dev_sw Algorithm #1 (sum -r): 10817 1841 patchSG0003162.x_dev_sw Algorithm #2 (sum): 53139 1841 patchSG0003162.x_dev_sw MD5 checksum: 9496B25ECC3E96A8D61E2F61AB7CC444 Filename: patchSG0003162.x_eoe_sw Algorithm #1 (sum -r): 39327 3232 patchSG0003162.x_eoe_sw Algorithm #2 (sum): 13525 3232 patchSG0003162.x_eoe_sw MD5 checksum: D42A84EF3F076A58D33F19F52A819673 Filename: README.patch.3163 Algorithm #1 (sum -r): 23654 18 README.patch.3163 Algorithm #2 (sum): 25734 18 README.patch.3163 MD5 checksum: 756076D4B042CD3B821051B3146C2451 Filename: patchSG0003163 Algorithm #1 (sum -r): 32763 18 patchSG0003163 Algorithm #2 (sum): 46144 18 patchSG0003163 MD5 checksum: 9D8CF5AF49F89003D333E84E6D3300C6 Filename: patchSG0003163.idb Algorithm #1 (sum -r): 16114 13 patchSG0003163.idb Algorithm #2 (sum): 38740 13 patchSG0003163.idb MD5 checksum: 757BF2A5882658173ECFF63F892C46A8 Filename: patchSG0003163.x_dev_sw Algorithm #1 (sum -r): 26703 1871 patchSG0003163.x_dev_sw Algorithm #2 (sum): 4990 1871 patchSG0003163.x_dev_sw MD5 checksum: 4E89925EA5679B21BF8FC765CB79A8BB Filename: patchSG0003163.x_dev_sw32 Algorithm #1 (sum -r): 28764 2195 patchSG0003163.x_dev_sw32 Algorithm #2 (sum): 46025 2195 patchSG0003163.x_dev_sw32 MD5 checksum: DF71C67366E29B0F9CEF5B10A0EE3BD0 Filename: patchSG0003163.x_dev_sw64 Algorithm #1 (sum -r): 10893 2353 patchSG0003163.x_dev_sw64 Algorithm #2 (sum): 47599 2353 patchSG0003163.x_dev_sw64 MD5 checksum: A307C6DB70BD37A31D1F9D4D858C4004 Filename: patchSG0003163.x_eoe_sw Algorithm #1 (sum -r): 26523 4258 patchSG0003163.x_eoe_sw Algorithm #2 (sum): 2943 4258 patchSG0003163.x_eoe_sw MD5 checksum: 0CD66C2493A3667D1C68D2E2EE3DB187 Filename: patchSG0003163.x_eoe_sw32 Algorithm #1 (sum -r): 44792 3969 patchSG0003163.x_eoe_sw32 Algorithm #2 (sum): 30141 3969 patchSG0003163.x_eoe_sw32 MD5 checksum: 91B0F609DCF4B10814C7623669A1193D Filename: patchSG0003163.x_eoe_sw64 Algorithm #1 (sum -r): 36394 4235 patchSG0003163.x_eoe_sw64 Algorithm #2 (sum): 15018 4235 patchSG0003163.x_eoe_sw64 MD5 checksum: A751597CA40C154D855F1BA4CE111AE6 Filename: README.patch.3164 Algorithm #1 (sum -r): 04525 12 README.patch.3164 Algorithm #2 (sum): 63555 12 README.patch.3164 MD5 checksum: F949A9F818F578F9209DD453A713EDE9 Filename: patchSG0003164 Algorithm #1 (sum -r): 45150 7 patchSG0003164 Algorithm #2 (sum): 23540 7 patchSG0003164 MD5 checksum: 5EB26E7B577ADD63AD2A7E31E8E818FB Filename: patchSG0003164.idb Algorithm #1 (sum -r): 62231 11 patchSG0003164.idb Algorithm #2 (sum): 39482 11 patchSG0003164.idb MD5 checksum: 608679BE467AD0FF7B0044F08CFBA5F7 Filename: patchSG0003164.x_dev_sw Algorithm #1 (sum -r): 00282 1861 patchSG0003164.x_dev_sw Algorithm #2 (sum): 51321 1861 patchSG0003164.x_dev_sw MD5 checksum: AA403DA6F7934786C8B1138B6419EDF9 Filename: patchSG0003164.x_dev_sw32 Algorithm #1 (sum -r): 40105 2188 patchSG0003164.x_dev_sw32 Algorithm #2 (sum): 43711 2188 patchSG0003164.x_dev_sw32 MD5 checksum: 20D889F2721D867301F1F49C7F0F9FDE Filename: patchSG0003164.x_dev_sw64 Algorithm #1 (sum -r): 05154 2341 patchSG0003164.x_dev_sw64 Algorithm #2 (sum): 35806 2341 patchSG0003164.x_dev_sw64 MD5 checksum: 975B64D7781501F1428382C38EF8E33E Filename: patchSG0003164.x_eoe_sw Algorithm #1 (sum -r): 40472 3285 patchSG0003164.x_eoe_sw Algorithm #2 (sum): 19365 3285 patchSG0003164.x_eoe_sw MD5 checksum: 7130465ECBEA6961DE898BC6B03BC6EC Filename: patchSG0003164.x_eoe_sw32 Algorithm #1 (sum -r): 24036 3552 patchSG0003164.x_eoe_sw32 Algorithm #2 (sum): 62299 3552 patchSG0003164.x_eoe_sw32 MD5 checksum: CF227E33123A6B4C83B957BE7481E594 Filename: patchSG0003164.x_eoe_sw64 Algorithm #1 (sum -r): 01544 3763 patchSG0003164.x_eoe_sw64 Algorithm #2 (sum): 32019 3763 patchSG0003164.x_eoe_sw64 MD5 checksum: 33DAD3890A6EE445BABAA9299C6DE485 Filename: README.patch.3165 Algorithm #1 (sum -r): 05925 12 README.patch.3165 Algorithm #2 (sum): 9430 12 README.patch.3165 MD5 checksum: F8F8C76CF0D6401153F34E606E000703 Filename: patchSG0003165 Algorithm #1 (sum -r): 40739 10 patchSG0003165 Algorithm #2 (sum): 64635 10 patchSG0003165 MD5 checksum: E9F01F8B784EFB2360F96E1C111BC868 Filename: patchSG0003165.eoe_sw Algorithm #1 (sum -r): 44998 7 patchSG0003165.eoe_sw Algorithm #2 (sum): 42468 7 patchSG0003165.eoe_sw MD5 checksum: 948C51F29D9B18C71211551F2A9E2786 Filename: patchSG0003165.idb Algorithm #1 (sum -r): 08151 12 patchSG0003165.idb Algorithm #2 (sum): 9229 12 patchSG0003165.idb MD5 checksum: C377B369F49EC7BE07B43C4B1A3AE7C8 Filename: patchSG0003165.x_dev_sw Algorithm #1 (sum -r): 20931 5115 patchSG0003165.x_dev_sw Algorithm #2 (sum): 57869 5115 patchSG0003165.x_dev_sw MD5 checksum: 201472A518AD6573742D18E1B94EFD7B Filename: patchSG0003165.x_dev_sw64 Algorithm #1 (sum -r): 15326 2378 patchSG0003165.x_dev_sw64 Algorithm #2 (sum): 5558 2378 patchSG0003165.x_dev_sw64 MD5 checksum: 885049D822B3B277576E2C4AB54B91C4 Filename: patchSG0003165.x_eoe_sw Algorithm #1 (sum -r): 63988 7594 patchSG0003165.x_eoe_sw Algorithm #2 (sum): 15222 7594 patchSG0003165.x_eoe_sw MD5 checksum: 129346F08874CF9A56B6497BF4AA3B32 Filename: patchSG0003165.x_eoe_sw64 Algorithm #1 (sum -r): 25380 4118 patchSG0003165.x_eoe_sw64 Algorithm #2 (sum): 24205 4118 patchSG0003165.x_eoe_sw64 MD5 checksum: 34980EFCE4E39EBFEC55FA279E7F1957 - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank the CERT Coordination Center and the users of the Internet Community at large for their assistance in this matter. - ----------------------------------------------------------- - --- Silicon Graphics Inc. Security Information/Contacts --- - ----------------------------------------------------------- If there are questions about this document, email can be sent to cse-security-alert@sgi.com. ------oOo------ Silicon Graphics provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/security/security.html. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ Silicon Graphics provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/security/security.html. ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, Silicon Graphics is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNiZgZbQ4cFApAP75AQFNawP9EhlJX0vTsSxr/rngAmU1wr46efbxzd5P Mz1Nvqvqk01CWpW7PcDwlxhBheT/hHnGEfCuj0NeuE0+D4ISDF0piChEopm/ubYT uKl1/Tp3jKnX7qrrXNRsNirFHsG7JSKp1JULmcjOa0b+RzE9OH8wWXRN0A/cRZt5 TqDo2OygiOY= =ItwP -----END PGP SIGNATURE-----