RHEL 2.1 : XFree86 (RHSA-2003:065)
Critical Nessus Plugin ID 12369
SynopsisThe remote Red Hat host is missing one or more security updates.
DescriptionUpdated XFree86 packages that resolve various security issues and additionally provide a number of bug fixes and enhancements are now available for Red Hat Enterprise Linux 2.1.
XFree86 is an implementation of the X Window System, which provides the graphical user interface, video drivers, etc. for Linux systems.
A number of security vulnerabilities have been found and fixed. In addition, various other bug fixes, driver updates, and other enhancements have been made.
Security fixes :
Xterm, provided as part of the XFree86 packages, provides an escape sequence for reporting the current window title. This escape sequence essentially takes the current title and places it directly on the command line. An attacker can craft an escape sequence that sets the victim's Xterm window title to an arbitrary command, and then reports it to the command line. Since it is not possible to embed a carriage return into the window title, the attacker would then have to convince the victim to press Enter for the shell to process the title as a command, although the attacker could craft other escape sequences that might convince the victim to do so. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0063 to this issue.
It is possible to lock up versions of Xterm by sending an invalid DEC UDK escape sequence. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2003-0071 to this issue.
The xdm display manager, with the authComplain variable set to false, allows arbitrary attackers to connect to the X server if the xdm auth directory does not exist. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2002-1510 to this issue.
These erratum packages also contain an updated fix for CVE-2002-0164, a vulnerability in the MIT-SHM extension of the X server that allows local users to read and write arbitrary shared memory. The original fix did not cover the case where the X server is started from xdm.
The X server was setting the /dev/dri directory permissions incorrectly, which resulted in the directory being world-writable. It now sets the directory permissions to a safe value. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2001-1409 to this issue.
Driver updates and other fixes :
The Rage 128 video driver (r128) has been updated to provide 2D support for all previously unsupported ATI Rage 128 hardware. DRI 3D support should also work on the majority of Rage 128 hardware.
Bad page size assumptions in the ATI Radeon video driver (radeon) have been fixed, allowing the driver to work properly on ia64 and other architectures where the page size is not fixed.
A long-standing XFree86 bug has been fixed. This bug occurs when any form of system clock skew (such as NTP clock synchronization, APM suspend/resume cycling on laptops, daylight savings time changeover, or even manually setting the system clock forward or backward) could result in odd application behavior, mouse and keyboard lockups, or even an X server hang or crash.
The S3 Savage driver (savage) has been updated to the upstream author's latest version '1.1.27t', which should fix numerous bugs reported by various users, as well as adding support for some newer savage hardware.
Users are advised to upgrade to these updated packages, which contain XFree86 version 4.1.0 with patches correcting these issues.
SolutionUpdate the affected packages.