Note: This is an archival copy of Security Sun Alert 200156 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000113.1.
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Local users may be able to gain unauthorized root access, due to a buffer overflow in the XView library.
This issue can occur in the following releases:
Only systems with XView applications that have the "set user ID bit" (suid) or the "set group ID bit" (sgid) set are at risk.
To check if an application has the "set user ID bit" or the "set group ID bit" set use the "ls -l" command. In the output an "s" in the user or group permissions will indicate a "set user ID bit" or "set group ID bit" respectively:
% ls -l testapp -r-sr-sr-x 5 root
To check if an application is an XView application, use the "ldd" command. In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.
The find and xargs command can also be used to look for XView applications that are set user or set group id. For example, to check the /usr/openwin directory for such applications, use the command:
% find /usr/openwin/ \( -perm -4000 -o -perm -2000 \) -print | xargs ldd
In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.
The issue described in this document can only be exploited by users already having an account on the affected system.
There are no symptoms that would show the described issue has already been exploited to gain unauthorized root access to a system.
As a possible workaround the set user or set group bit of all affected XView applications might be removed using the "chmod" command. Removing the set user or set group bit of an application might keep it from functioning as expected.
The following application that is supplied with Solaris is potentially affected by the described issue:
Note: Solaris 2.4, 2.5, 2.5.1 will require an upgrade to a later release.
This solution has no attachment