Users login

Create an account »


Users login

Home » Hacking News » CLA-2002:533-Conectiva Linux Security Announcement - XFree86

CLA-2002:533-Conectiva Linux Security Announcement - XFree86

by Nikola Strahija on October 17th, 2002 XFree86 is a freely redistributable open-source implementation of the X Window System, which is a client/server interface between display hardware and the desktop environment. This advisory addresses several vulnerabilities[1] in XFree86-4.0.1 in Conectiva Linux 6.0 and XFree86-4.0.3 in Conectiva Linux 7.0. Conectiva Linux 8 was previously updated[2] and already contains these fixes.

It also fixes several vulnerabilities present in XFree86 version
3.3.6a, which was distributed for compatibility reasons with
Conectiva Linux 6.0 and 7.0.

- MIT-SHM extension vulnerability

Roberto Zunino discovered a vulnerability in the MIT-SHM extension of
XFree86 prior to versions 4.2.1. The vulnerability allows a local
user who can run XFree86 to gain read/write access to any shared
memory segment in the system. Although the use of shared memory
segments to store trusted data is not a comom practice, by exploiting
this vulnerability the attacker potentially can get and/or change
sensitive information.

- Buffer overflow in glyph clipping for large origin.

A buffer overflow vulnerability[3] was found in the glyph code when
clipping large origins. A remote attacker could exploit this
vulnerability to cause a denial of service and possibly run arbitrary
code by, for example, using a large number of characters through web
page search forms of some web browsers.

The Common Vulnerabilities and Exposures project ( has
assigned the name CAN-2001-0955 to this issue[4].

Additional fixes from the XFree86 CVS tree are listed below and have
also been applied to this update.

- Check for negative reply length/overflow in _XAsyncReply().

Mike A. Harris sent[5] a patch to the XFree86 3.3 source tree to fix
an overflow vulnerability. The vulnerability is also present in
XFree86 4.x versions, and the patch was adapted to fix it.

- XDM restrictions bypassed by non existent directory

If the xdm auth directory did not exist, any user could connect to
the Xserver using xdm. This was reported by Galen Hancock and the fix
was made[6] by setting the authComplain variable to true as default.
This is the expected behavior and is specified in the manual page of
the xdm configuration.

- Authentication issues with mmap() on drm devices

Jeff Hartmann sent a fix[7] for a vulnerability in the way the mmap()
system call was being used on DRM devices.

- Kernel security hole in Linux int10 module

Marc La France commited[8] to the XFree86 CVS tree a fix for a
vulnerability in the linux int10 module.

XFree86 3.3.6 compatiblity packages are being upgraded with the
latest branch patches available. The changelog[9] entries from the
XFree86 source related to security fixes since our last update are

- Avoid DoS attacks on xdm (Keith Packard).
- Check for negative reply length/overflow in _XAsyncReply (Xlib)
(#4601, Mike Harris).
- Fix possible buffer overflow (NOT on stack) in xdm xdmcp code
(patch69 from Red Hat SRPMS).
- Pull in fixes from 4.0.2 for the following problems:
. XlibInt buffer overflow
. libICE denial of service
. XOpenDisplay buffer overflow (#4450, Branden Robinson)
- Fix temp file problem in Imake.rules, InstallManPageAliases
(Matthieu Herrb)
- Pull in fixes from the main branch:
. xfs DoS (Paulo Cesar Pereira de Andrade and Keith Packard),
. _XAsyncReply() Xlib stack corruption,
. Xaw temp file handling (Branden Robinson).
- Safe tempfile handling for imake's probing of glibc version (based
on #4257, Colin Phipps).
- Fix a 1-byte overflow in Xtrans.c (#4182, Aaron Campbell).
- Back port fix for
from 4.0 (#4181, Matthieu Herrb).

All XFree86 users are advised to upgrade.



Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
(you may also use linuxconf to do this):

rpm [cncbr] 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at

- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
Instructions on how to check the signatures of the RPM packages can be
found at
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at

- -------------------------------------------------------------------------
subscribe: [email protected]
unsubscribe: [email protected]
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »