XFree86 Security Issues
XFree86 security contact
To report a security related problem in XFree86, contact security at XFree86.org.
If you prefer to send encrypted mail, use the security public key.
Recent XFree86 security fixes
This is a summary of security related fixes in successive XFree86
releases:
-
4.5.99.12 experimental snapshot
-
4.5.0 release
- Additional libXpm issues
(CAN-2005-0605).
- All fixes listed hereafter since 4.4.0.
-
4.4.99.18 experimental snapshot
-
4.4.99.16 experimental snapshot
- Integer overflow in libICE/libSM.
-
4.4.99.14 experimental snapshot
-
4.4.99.6 experimental snapshot
- xdm listen on random socket when DisplayManager.requestPort is 0
(CAN-2004-0419).
-
4.4.0
This release includes all fixes listed hereafter since 4.3.0.
-
4.3.99.903 Release Candidate
-
4.3.99.13 experimental snapshot
- Check for failure of the pam_setcred() function in xdm
session initialization.
(CAN-2003-0690).
- Better pseudo-random number generation for XDM session
cookies. (CAN-2003-0692).
-
4.3.99.12 experimental snapshot
- Fixes for potential integer overflows in font
libraries (CAN-2003-0730).
-
4.3.0
No major security updates are included in this release. The
following enhancements can be noted however:
- Add a X server configuration option (DontVTSwitch) to
disable the VT switching hot keys.
- Add a resource setting to xterm (AllowWindowsOps) to
disable the extended window operations (e.g., resize, iconify,
report window attributes). This addresses CAN-2003-0063.
- Fix two possible DoS (character sequences causing infinite
loops in special cases of mouse hilite tracking and DECUDK parsing
-
CAN-2003-0071) in xterm.
-
4.2.1 Errata
- The MIT-SHM update in 4.2.1 is incomplete as the case where the
X server is started from xdm was not handled. A more complete fix
from the XFree86 trunk was committed to the xf-4_2-branch
branch.
A
source patch against 4.2.1 is available on the XFree86 FTP
site.
-
4.2.1:
- Fix a zlib bug that may have security implications on some
platforms.
- MIT-SHM update should not access SHM segments which the
client does not have sufficient access privileges.
- Fix an Xlib problem which made it possible to load and
execute arbitrary code in privileged clients.
-
4.2.0:
- Close a hole where anyone can connect to the X server if the
xdm auth dir does not exist.
- Do not let a non-root user halt the machine by having X
send SIGUSR1 to the init(8) process.
- Fix a buffer overflow in glyph clipping for large origin.
-
4.1.0:
- Fix authentication issues with mmap() on drm devices.
- Check for negative reply length/overflow in _XAsyncReply.
- Plug kernel security hole in Linux int10
- Fix temp files vulnerabilities in xman, Xaw and man page
installation
-
4.0.1:
- Fix an XSecurity extension bug that could cause an X server
DoS.
- Fix a possible overflow in xkb options parsing.
- Fixed recently publicized security issues in some of the X
libraries, including: a possible libICE DoS, a possible xdmcp DoS,
and some potentially exploitable integer overflows.
- Improved xterm log file security (still not compiled in by
default).
- Fix for xterm DoS with arbitrarily large resize requests.
- Log failed xdm logins through syslog (only enabled on OpenBSD
for now).
- Add a new resource "allowRootLogin" to xdm (True by
default).
- Support in xdm for PAM on Linux and for KerberosIV on
OpenBSD.
-
4.0:
- Add request bounds checking for xfs.
- Fix possible races in xauth and libXau.
-
3.3.6:
- Fix for some insecure uses of mktemp(3) in the imake
program.
- Update the default xdm config file to disable listening for
XDMCP requests.
-
3.3.5:
- Fixes to config utils and x11pcomp.
- Fix a potential SEGV in xauth.
-
3.3.4:
- Fix a problem in xtrans with sub-directories creation under
/tmp/.
XFree86® is a registered trademark of The XFree86
Project, Inc.
Copyright © 1994-2006 XFree86 Project, Inc.
All rights reserved. This page is XHTML 1.0 transitional.
Last Modified: 11 April 2006