-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-00:27 Security Advisory
Topic: XFree86-4.0 port contains local root overflow
Credits: Michal Zalewski <lcamtuf@TPI.PL>
Affects: Ports collection.
Vendor status: Vendor eventually released patch
FreeBSD only: NO
XFree86 4.0 is a development version of the popular XFree86 X Windows
II. Problem Description
XFree86 4.0 contains a local root vulnerability in the XFree86 server
binary, due to incorrect bounds checking of command-line
The server binary is setuid root, in contrast to previous versions
which had a small setuid wrapper which performed (among other things)
The XFree86-4 port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 3400 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.0 contains this
problem since it was discovered after the release, but it was fixed in
time for FreeBSD 3.5.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
Unprivileged local users can obtain root access.
If you have not chosen to install the XFree86-4 port/package, then
your system is not vulnerable to this problem.
Deinstall the XFree86-4 port/package, if you you have installed it, or
limit the execution file permissions on the /usr/X11R6/bin/XFree86
binary so that only members of a trusted group may run the binary.
At this time, we do not recommend using XFree86 4.0 on multi-user
systems with untrusted users, because of the lack of security in the
server binary. The current "stable" version, XFree86 3.3.6, is also
available in FreeBSD ports.
One of the following:
1) Upgrade your entire ports collection and rebuild the XFree86-4 port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from:
An updated version of XFree86, version 4.0.1, has just been released,
which is believed to also fix the problems detailed in this advisory,
however the X server is still installed setuid root and so the above
warning against installation on multi-user machines still applies. The
packages will be available at the following locations in the next few
3) download a new port skeleton for the XFree86-4 port from:
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----