Note: This is an archival copy of Security Sun Alert 201544 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001151.1.
Article ID : 1001151.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-06-26
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

dtsession(1X) Contains a Buffer Overflow Vulnerability

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6547678

Date of Resolved Release
27-JUN-2007

Impact

An unprivileged local user may be able to execute arbitrary code or commands with the privileges of the dtsession(1X) Common Desktop Environment (CDE) Session Manager. The dtsession(1X) CDE Session Manager runs with root privileges.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 109354-26
  • Solaris 9 without patch 113240-13
  • Solaris 10 without patch 125279-02

x86 Platform

  • Solaris 8 without patch 109355-25
  • Solaris 9 without patch 113241-13
  • Solaris 10 without patch 125280-02

Symptoms

There are no predictable symptoms that would indicate this issue has been exploited.


Workaround

To work around the described issue, turn off the set-user-ID ("setuid") bit for dtsession(1X) as root:

    #chmod 0555 /usr/dt/bin/dtsession

Note 1: For CDE users this will cause dtsession(1X) to be unable to unlock the screen by the list of keyholders (including root) as well as prevent users with accounts defined in /etc/passwd to be unable to unlock the screen. CDE users with accounts defined in NIS, NIS+, or LDAP will still be able to unlock the screen.

Note 2: CDE users with accounts defined in /etc/passwd should use xlock(1) to lock their X display and turn off automatic session locking by dtsession(1X). Automatic session locking by dtsession(1X) can be turned off using the CDE Style Manager's (dtstyle(1X)) screen option. From the dtstyle(1X) screen option window, automatic session locking can be turned off by selecting "off" for the Screen Saver and Screen Lock options. To lock the X display using xlock(1) the xlock(1) command can be executed from the command line of a terminal window.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 109354-26 or later
  • Solaris 9 with patch 113240-13 or later
  • Solaris 10 with patch 125279-02 or later

x86 Platform

  • Solaris 8 with patch 109355-25 or later
  • Solaris 9 with patch 113241-13 or later
  • Solaris 10 with patch 125280-02 or later


References

109354-26
113240-13
125279-02
109355-25
113241-13
125280-02




Attachments
This solution has no attachment