Note: This is an archival copy of Security Sun Alert 201230 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000917.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A Security Vulnerability in the Solaris X Window System (X(5)) PCF Font Handler (see details below)
A security vulnerability in the Solaris X Window System (X(5)) PCF font handler in libfont and libXfont libraries may allow a remote unprivileged user to crash the application or execute arbitrary code with the privileges of the application which dynamically links to one of these libraries. The ability to crash an application is a type of Denial of Service (DoS).
This issue is described in the following document:
CERT VU#203220 at http://www.kb.cert.org/vuls/id/203220CVE-2008-0006 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0006
2. Contributing Factors
This issue can occur in the following releases:
Note: The Xorg(1) X server only ships on the x86 platform for Solaris 9 with the Sun Java Desktop System (JDS) release 2 installed, and on Solaris 10.
To determine if JDS release 2 is installed on a Solaris 9 x86 system, the following command can be run:
% grep distributor-version /usr/share/gnome-about/gnome-version.xml
To determine if an application is linked with the libXfont or libfont library, the ldd(1) utility can be utilized as in the following examples:
$ ldd /usr/openwin/bin/Xsun | grep libfont2. Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary code with elevated privileges.
If the described issue is exploited to cause a Denial of Service (DoS) to an application which links to the libfreetype library, the application will exit and may generate a segmentation fault error, potentially writing a core(4) file.4. Workaround
To work around this issue, the "noexec_user_stack" options can be used to defeat the most common form of buffer overflow attacks that store executable exploit code on the stack. This can be achieved by editing the "/etc/system" file and adding the following lines:
set noexec_user_stack = 1 set noexec_user_stack_log = 1
A reboot will be necessary in order for the above change to take effect. See system(4) for information on modifying the system configuration information file.
This issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
18-JAN-2008: Updated Contributing Factors, Relief/Workaround, Resolution sections
31-JAN-2008: Updated Contributing Factors and Resolution sections
01-FEB-2008: Updated Contributing Factors, Resolution sections: Resolved
This solution has no attachment