Note: This is an archival copy of Security Sun Alert 201542 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001150.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A buffer overflow vulnerability in libX11 may allow a local unprivileged user to be able to execute arbitrary code or commands with elevated privileges. The code or commands executed would run with the privileges of the application dynamically linked to the libX11 library. A number of programs shipped in Solaris and by third parties dynamically link with the libX11 library and run with elevated privileges. Applications that call XInitImage() with user-controllable parameters may be vulnerable, such as xwud(1) and ImageMagick, when loading X Window Dump (xwd) files with incorrect parameters.
This issue is described in the following documents:
CVE-2007-1667 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667
This issue can occur in the following releases:
1) To determine if an application is linked against the libX11 library, the ldd(1) utility can be used as in the following example:
$ ldd /path/to/application | grep libX11 || echo "application not affected"
If output similar to the following is seen:
libX11.so.4 => /usr/openwin/lib/libX11.so.4
then the application links to libX11 and may be affected by this issue.
2) To determine if an application uses the XInitImage(3X11) function the nm(1) command can be used if the application binary has not been stripped using strip(1). The file(1) command will report if a binary has been stripped. For example:
$ file /usr/openwin/bin/xwud /usr/openwin/bin/xwud: ELF 32-bit LSB executable 80386 Version 1 [FPU], dynamically linked, not stripped, no debugging information available $ nm /usr/openwin/bin/xwud | grep XInitImage  | 134550036| 0|FUNC |GLOB |0 |UNDEF |XInitImage
Alternatively, the truss(1) utility can be used to determine if an application calls the XInitImage() function. For example:
$ truss -f -t\!all -ulibX11:XInitImage: xwud -in file.xwd 28243/1@1: -> libX11:XInitImage(0x8047888) 28243/1@1: <- libX11:XInitImage() = 1
There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privileges on a system.
To avoid this issue, do not load X11 Window dump files from untrusted sources.
This issue is addressed in the following releases:
This solution has no attachment