Note: This is an archival copy of Security Sun Alert 200642 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000503.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Preliminary Release
Date of Workaround Release
Date of Resolved Release
There exists multiple security vulnerabilities within the handlers for the QueryXBitmaps and QueryXExtents protocol requests (see below for full details)
There exists multiple security vulnerabilities within the handlers for the QueryXBitmaps and QueryXExtents protocol requests for the X Font Server, xfs(1), included with Solaris. These vulnerabilities may allow a local or remote unprivileged user the ability to execute arbitrary code with the privileges of the X font server. The X font server runs as the unprivileged user "nobody" (uid 60001) on Solaris. These vulnerabilities may allow also allow users to consume all available memory on a system resulting in a Denial of Service (DoS).
These issues are also referenced in the following documents:
2. Contributing Factors
These issues can occur in the following releases:
The system is only impacted if the X Font Server is enabled or is running. The X Font Server can be started manually, but is normally started by the service management facility (smf(5)) or the Internet services daemon (inetd(1M)).
To determine the state of the X font server on Solaris 8 and Solaris 9 systems the "/etc/inet/inetd.conf" (see inetd.conf(4)) file will contain entry similar to the following:
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
To determine the state of the X Font Server for Solaris 10, the following command can be used:
$ svcs svc:/application/x11/xfs
To determine if the X font server is running on a Solaris 8, 9, or 10 system the following command can be used:
$ pgrep -x xfs || echo "xfs(1) isn't running on this system"3. Symptoms
If the described issue occurs, the X Font Server (xfs(1)) may exit unexpectedly, potentially leaving a core file within the root file system.
There are no predictable symptoms that would indicate that this issue has been exploited to execute arbitrary code on a system.
To work around the described issue, disable the X Font Service by doing the following:
For Solaris 10:
# svcadm disable svc:/application/x11/xfs:default # pkill -x xfs
For Solaris 8 and Solaris 9:
The X font server can be disabled by commenting out (with "#") the following line in the "inetd.conf" file:
# fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
Have the inetd(1M) process reread the newly modified "/etc/inetd.conf" file by sending it a "hangup" signal, SIGHUP, as the root user:
# pkill -HUP -x inetd # pkill -x xfs
This workaround will cause font server operations for the X terminals and remote X sessions to fail.
This issue is addressed in the following releases:
Note: The patches should have the "rebootafter" patch property, however, the Solaris 9 and Solaris 10 patches are missing that property and new revisions are being built.
Special patch install instructions:
For the changes in the Solaris 9 and Solaris 10 patches to become effective, a reboot must be performed, or alternatively, the X Window System font server process "xfs" must be killed if it is running.
The "X font server", is normally started automatically from "inetd" on Solaris when a request for a font service is received. Xsun clients using the font server will detect the font server shutdown and reconnect automatically to a new instance of the font server. Unfortunately, other font clients, such as some versions of "Xvnc", will not reconnect automatically and will need to be stopped before killing the font server and restarted again after the font server is restarted. (If "xfs" is still being run from "inetd", "inetd" will automatically restart on the first connection attempt.)
To kill the font server, as root, run the following command:
# pkill -x xfs
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
11-Oct-2007: Updated Relief/Workaround section
06-Nov-2007: Updated Contributing Factors and Resolution sections
13-Nov-2007: Updated the Contributing Factors, Relief/Workaround, and Resolution sections
17-Jan-2008: Resolved - Updated Contributing Factors and Resolution sections
This solution has no attachment