A locally exploitable buffer overflow exists in the Low BandWidth X proxy.
The Low BandWidth X proxy is a component of XFree86 (a freely redistributable open-source implementation of the X Window System). The Low BandWidth X proxy allows applications to transparently take advantage of the Low Bandwidth extension to X (LBX). LBX allows one to make more efficient use of low bandwidth high latency communication links. Quoting from LBX technical specifications:
Low Bandwidth X (LBX) is a network-transparent protocol for running X Window System applications over transport channels whose bandwidth and latency are significantly worse than that used in local area networks. It combines a variety of caching and reencoding techniques to reduce the volume of data that must be sent over the wire. It can be used with existing clients by placing a proxy between the clients and server, so that the low bandwidth/high latency communication occurs between the proxy and server.
A local attacker can execute arbitrary code with root privileges.
Apply a vendor patch.
Hewlett-Packard Company Affected
Sun Microsystems Inc. Affected
Apple Computer Inc. Not Affected
Cray Inc. Not Affected
Fujitsu Not Affected
IBM Not Affected
Lotus Development Corporation Not Affected
NEC Corporation Not Affected
OpenBSD Not Affected
SGI Not Affected
XFree86 Not Affected
Cisco Systems Inc. Unknown
Compaq Computer Corporation Unknown
Computer Associates Unknown
Nortel Networks Unknown
Red Hat Inc. Unknown
Sony Corporation Unknown
The CERT/CC thanks Sun Microsystems for reporting this vulnerability to us.
This document was written by Ian A. Finlay.
|Date First Published:||2002-08-19|
|Date Last Updated:||2002-08-19 19:22 UTC|