Loss of Confidentiality,
Loss of Integrity,
Loss of Availability
XFree86 xfs, the font server for the X Windowing system, contains a flaw that may allow a malicious user to overwrite the permissions of any file on the local system. The issue is triggered when root (or an appropriately privileged user) runs the xfs server after the attacker (a local user) creates a symlink from /tmp/.font-unix to any other file (such as /etc/shadow). It is possible that the flaw may allow information disclosure, privilege elevation or denial of service.
Upgrade to version 18.104.22.168 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workarounds:
1) Do not run xfs as root or other priviliged user.
2) rm -rf /tmp/.font-unix before running xfs as a privileged user.
3) Apply the patch provided by Matthieu Herrb (see referenced security mail list post).
First posted to BugTraq by Lukasz Trabinski <lukasz@LT.WSISIZ.EDU.PL> on March 30, 1999.
S.u.S.E. Linux 5.3
RedHat Linux 5.1
Standard & Poors ComStock 4.2.4
Pacific HiTech TurboLinux 1.2
NetBSD NetBSD 1.3.3
Debian Linux 2.1
Debian Linux 2.0 r5
Debian Linux 2.0
Caldera OpenLinux Standard 1.2
Xfs, the Xfree86 font server included with RedHat 5.1 is vulnerable to a /tmp symbolic link attack. Xfs creates a file in /tmp called .font-unix that will be followed if a symlink. Any file pointed to by the symbolic link will be overwritten.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org.
Upgrade to XFree86 22.214.171.124-0.1. The other related XFree86 symbolic link vulnerabilities are fixed in this version as well.