XFree86 Security Issues

This page contains information about security-related issues affecting XFree86. XFree86 security advisories can be downloaded from our ftp site.

XFree86 versions 3.3.3 and 3.3.2.3 (aka 3.3.2 + patch 3) include fixes for all of the security problems listed here.


X Server Security Vulnerabilities

[25 Jul 1998]

Vulnerabilities have been found in the XFree86 X servers. The problems are associated with buffer overflows in code that processes user-supplied data. All releases of XFree86 up to and including 3.3.2 patch 2 are vulnerable to these problems.

A source patch for these problems is available now. Updated binaries are also available. The updated binaries can be found in the X3323upd.tgz files and Servers and PC98-Servers directories in the appropriate subdirectories of the XFree86 3.3.2 binaries directory. Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes. The X3323upd.tgz update includes those things fixed in the previous updates (X3321upd.tgz,X3322upd.tgz), so it can be installed without first installing the previous updates.


X library Security Vulnerabilities and Xdm Denial of Service

[24 May 1998]

Vulnerabilities have been found in the X11, Xt, Xaw and Xmu libraries. These affect xterm and all other setuid-root programs that use these libraries. The problems are associated with buffer overflows in code that processes user-supplied data. The Xt library problems include those fixed in TOG's recent public patch 3 for X11R6.3. All releases of XFree86 up to and including 3.3.2 patch 1 are vulnerable to some or all of these problems.

There is a denial of service problem with xdm which can result in both local and remote users crashing xdm.

A source patch for these problems is available now. Updated binaries are also available. The updated binaries can be found in the X3322upd.tgz files in the appropriate subdirectories of the XFree86 3.3.2 binaries directory. Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes. The X3322upd.tgz update includes those things fixed in the previous update (X3321upd.tgz), so it can be installed without first installing the previous update.

Addendum: The initial version of this patch contained a bug in the X11 library that would cause some X applications (including xterm) to crash at startup on Linux systems using libc5. No other systems are affected by this. This bug does not represent a security vulnerability. The source patch and affected binaries were updated on the morning of 26 May (US EST). The problem only shows up when neither of LANG or LC_CTYPE is set in the environment. A temporary workaround is to set LANG to "C".

Note that it is important to follow the instructions in those notes carefully, and that the updated xterm and xdm programs and the X libraries library must be installed to fix the problems. Also, the X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries subdirectories still contain the original buggy versions. For new XFree86 3.3.2 installations it is important to extract the X3322upd.tgz tarball after extracting the others.


Xterm and Xaw Security Vulnerabilities

[3 May 1998]

The Open Group recently released a security advisory concerning vulnerabilities in the xterm program and in the Xaw (Athena Widget) library. These particular problems are associated with buffer overflows in the code that processes the inputMethod and preeditType resources in both xterm and the Xaw library, and the *Keymap resources in xterm. The Xaw problems affect any setuid-root binaries that use the Xaw library (including xterm). The inputMethod and preeditType problems affect all releases of XFree86 from 3.0 to 3.3.2 (inclusive). The *Keymap problem affects all releases of XFree86 up to and including 3.3.2.

The Open Group's fixes for these problems are currently available only to its members (XFree86 is not a member). XFree86 is independently releasing its own fixes for these problems. A source patch is available now. Updated binaries for some OSs are also available now, and others will be available soon. The updated binaries can be found in the X3321upd.tgz files in the appropriate subdirectories of the XFree86 3.3.2 binaries directory. Information about installing the updated binaries can be found in an updated version of the XFree86 3.3.2 Release Notes.

Note that it is important to follow the instructions in those notes carefully, and that both the updated xterm program and Xaw library must be installed to fix the problem with xterm. Also, the X332bin.tgz and X332lib.tgz files in the XFree86 3.3.2 binaries subdirectories still contain the original buggy versions. When doing an new XFree86 3.3.2 installation it is important to extract the X3321upd.tgz after extracting the others.


Last updated: 5 December 1998