There are 2 potential overflows in xtrans, which may be exploitable.
One of them is documented in <http://www.securityfocus.com/archive/1/139436>

Apply by doing:
       cd "the directory containing your X11 source dir"
       patch -p0 < 030_xtrans.patch

And then rebuild your X11 tree:
       cd X11
       make build "DESTDIR=/"

Note: tcl/tk 8.0.5 is required to build X11 from source.

Index: X11/xc/lib/xtrans/Xtrans.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtrans.c,v
retrieving revision 1.1.1.3
retrieving revision 1.2
diff -u -u -r1.1.1.3 -r1.2
--- X11/xc/lib/xtrans/Xtrans.c  1999/08/24 17:41:25     1.1.1.3
+++ X11/xc/lib/xtrans/Xtrans.c  2000/10/14 15:47:31     1.2
@@ -178,7 +178,7 @@
     * a case insensitive match.
     */

-    strncpy (protobuf, protocol, PROTOBUFSIZE);
+    strncpy (protobuf, protocol, PROTOBUFSIZE - 1);

    for (i = 0; i < PROTOBUFSIZE && protobuf[i] != '\0'; i++)
       if (isupper (protobuf[i]))
Index: X11/xc/lib/xtrans/Xtranssock.c
===================================================================
RCS file: /cvs/X11/xc/lib/xtrans/Xtranssock.c,v
retrieving revision 1.4
retrieving revision 1.6
diff -u -u -r1.4 -r1.6
--- X11/xc/lib/xtrans/Xtranssock.c      1999/08/24 18:11:21     1.4
+++ X11/xc/lib/xtrans/Xtranssock.c      2000/10/13 21:04:23     1.6
@@ -754,6 +754,29 @@
}


+#ifdef UNIXCONN
+static int
+set_sun_path(const char *port, const char *upath, char *path)
+{
+    struct sockaddr_un s;
+    int maxlen = sizeof(s.sun_path) - 1;
+
+    if (!port || !*port || !path)
+       return -1;
+
+    if (*port == '/') { /* a full pathname */
+       if (strlen(port) > maxlen)
+           return -1;
+       sprintf(path, "%s", port);
+    } else {
+       if (strlen(port) + strlen(upath) > maxlen)
+           return -1;
+       sprintf(path, "%s%s", upath, port);
+    }
+    return 0;
+}
+#endif
+
#ifdef TRANS_SERVER

static int
@@ -957,10 +980,9 @@
    sockname.sun_family = AF_UNIX;

    if (port && *port) {
-       if (*port == '/') { /* a full pathname */
-           sprintf (sockname.sun_path, "%s", port);
-       } else {
-           sprintf (sockname.sun_path, "%s%s", UNIX_PATH, port);
+       if (set_sun_path(port, UNIX_PATH, sockname.sun_path) != 0) {
+           PRMSG (1, "SocketUNIXCreateListener: path too long\n", 0, 0, 0);
+           return TRANS_CREATE_LISTENER_FAILED;
       }
    } else {
       sprintf (sockname.sun_path, "%s%d", UNIX_PATH, getpid());
@@ -1604,10 +1626,9 @@

    sockname.sun_family = AF_UNIX;

-    if (*port == '/') { /* a full pathname */
-       sprintf (sockname.sun_path, "%s", port);
-    } else {
-       sprintf (sockname.sun_path, "%s%s", UNIX_PATH, port);
+    if (set_sun_path(port, UNIX_PATH, sockname.sun_path) != 0) {
+       PRMSG (1, "SocketUNIXCreateListener: path too long\n", 0, 0, 0);
+       return TRANS_CREATE_LISTENER_FAILED;
    }

#if defined(BSD44SOCKETS) && !defined(Lynx)
@@ -1623,10 +1644,9 @@
     * This is gross, but it was in Xlib
     */
    old_sockname.sun_family = AF_UNIX;
-    if (*port == '/') { /* a full pathname */
-       sprintf (old_sockname.sun_path, "%s", port);
-    } else {
-       sprintf (old_sockname.sun_path, "%s%s", OLD_UNIX_PATH, port);
+    if (set_sun_path(port, OLD_UNIX_PATH, old_sockname.sun_path) != 0) {
+       PRMSG (1, "SocketUNIXConnect: path too long\n", 0, 0, 0);
+       return TRANS_CONNECT_FAILED;
    }
    old_namelen = strlen (old_sockname.sun_path) +
       sizeof (old_sockname.sun_family);

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.