3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
70 lines
2.5 KiB
Text
70 lines
2.5 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-01:19 Security Advisory
|
|
FreeBSD, Inc.
|
|
|
|
Topic: ja-xklock port contains a local root compromise
|
|
|
|
Category: ports
|
|
Module: ja-xklock
|
|
Announced: 2001-02-07
|
|
Credits: Found during internal auditing
|
|
Affects: Ports collection prior to the correction date.
|
|
Corrected: See below.
|
|
Vendor status: N/A
|
|
FreeBSD only: No
|
|
|
|
I. Background
|
|
|
|
The ja-xklock is a localized xlock clone, which locks an X display.
|
|
|
|
II. Problem Description
|
|
|
|
The ja-xklock port, versions 2.7.1 and earlier, contains an
|
|
exploitable buffer overflow. Because the xklock program is also
|
|
setuid root, unprivileged local users may gain root privileges on the
|
|
local system.
|
|
|
|
Because the ja-xklock port is unmaintained and due to the software's
|
|
age, this vulnerability has not yet been corrected. Additionally, the
|
|
ja-xklock port is scheduled for removal from the ports system if it
|
|
has not been audited and fixed within one month of discovery. In the
|
|
event the ja-xlock port is corrected, this advisory will be rereleased
|
|
with updated information.
|
|
|
|
The ja-xklock port is not installed by default, nor is it "part of
|
|
FreeBSD" as such: it is part of the FreeBSD ports collection, which
|
|
contains over 4500 third-party applications in a ready-to-install
|
|
format. The ports collections shipped with FreeBSD 3.5.1 and 4.2
|
|
contain this problem since it was discovered after the releases.
|
|
|
|
FreeBSD makes no claim about the security of these third-party
|
|
applications, although an effort is underway to provide a security
|
|
audit of the most security-critical ports.
|
|
|
|
III. Impact
|
|
|
|
Unprivileged local users may gain root privileges on the local system.
|
|
|
|
If you have not chosen to install the ja-xklock port/package, then
|
|
your system is not vulnerable to this problem.
|
|
|
|
IV. Workaround
|
|
|
|
Deinstall the ja-xklock port/package, if you have installed it.
|
|
|
|
V. Solution
|
|
|
|
It is suggested that an alternative, such as xlock or xlockmore, is
|
|
used instead of the ja-xklock port.
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.0.4 (FreeBSD)
|
|
Comment: For info see http://www.gnupg.org
|
|
|
|
iQCVAwUBOoGkUFUuHi5z0oilAQGzvwQAkiQisnaY94dUvy+a/RJoeY5j04yQf92u
|
|
P8I5aTWn6CfVP2a5xpRW8I2xRpJtiUAVzNmAYflW9gGgzQL9GXHy8roiaYMP+V7Y
|
|
X3zWhRV7Kb/L9jVKEGurwLaygF6m11AkmWUKbb8Hi95rzsJokTWA93MZK+exKfZ9
|
|
lFBOA3QC2vA=
|
|
=gIGE
|
|
-----END PGP SIGNATURE-----
|