RHSA-2003:065 - Security Advisory

Topic

Updated XFree86 packages that resolve various security issues and
additionally provide a number of bug fixes and enhancements are now
available for Red Hat Enterprise Linux 2.1.

Description

XFree86 is an implementation of the X Window System, which provides the
graphical user interface, video drivers, etc. for Linux systems.

A number of security vulnerabilities have been found and fixed. In
addition, various other bug fixes, driver updates, and other enhancements
have been made.

Security fixes:

Xterm, provided as part of the XFree86 packages, provides an escape
sequence for reporting the current window title. This escape sequence
essentially takes the current title and places it directly on the command
line. An attacker can craft an escape sequence that sets the victim's Xterm
window title to an arbitrary command, and then reports it to the command
line. Since it is not possible to embed a carriage return into the window
title, the attacker would then have to convince the victim to press Enter
for the shell to process the title as a command, although the attacker
could craft other escape sequences that might convince the victim to do so.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0063 to this issue.

It is possible to lock up versions of Xterm by sending an invalid DEC
UDK escape sequence. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0071 to this issue.

The xdm display manager, with the authComplain variable set to false,
allows arbitrary attackers to connect to the X server if the xdm auth
directory does not exist. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1510 to this issue.

These erratum packages also contain an updated fix for CAN-2002-0164, a
vulnerability in the MIT-SHM extension of the X server that allows local
users to read and write arbitrary shared memory. The original fix did not
cover the case where the X server is started from xdm.

The X server was setting the /dev/dri directory permissions incorrectly,
which resulted in the directory being world writable. It now sets the
directory permissions to a safe value. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2001-1409 to
this issue.

Driver updates and other fixes:

The Rage 128 video driver (r128) has been updated to provide 2D support
for all previously unsupported ATI Rage 128 hardware. DRI 3D support
should also work on the majority of Rage 128 hardware.

Bad page size assumptions in the ATI Radeon video driver (radeon) have
been fixed, allowing the driver to work properly on ia64 and other
architectures where the page size is not fixed.

A long-standing XFree86 bug has been fixed. This bug occurs when any form
of system clock skew (such as NTP clock synchronization, APM suspend/resume
cycling on laptops, daylight savings time changeover, or even manually
setting the system clock forward or backward) could result in odd
application behavior, mouse and keyboard lockups, or even an X server hang
or crash.

The S3 Savage driver (savage) has been updated to the upstream author's
latest version "1.1.27t", which should fix numerous bugs reported by
various users, as well as adding support for some newer savage hardware.

Users are advised to upgrade to these updated packages, which contain
XFree86 version 4.1.0 with patches correcting these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

Please note that this update is available via Red Hat Network. To use Red
Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

• Red Hat Enterprise Linux Server 2 ia64
• Red Hat Enterprise Linux Server 2 i386
• Red Hat Enterprise Linux Workstation 2 ia64
• Red Hat Enterprise Linux Workstation 2 i386

Fixes

CVEs

• CVE-2002-0164
• CVE-2001-1409
• CVE-2002-1510
• CVE-2003-0071
• CVE-2003-0063

References

(none)