Note: This is an archival copy of Security Sun Alert 201649 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001228.1.
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Resolved Release
Xsun(1), the Solaris server for X Version 11, and Xprt(1), the Solaris print server for X Version 11, contain multiple buffer overflows in the handling of the "font.alias" file which may allow a local unprivileged user to execute arbitrary code with the privileges of the Xsun or Xprt server. The Xsun server runs with "gid root" privileges on Solaris SPARC systems and "uid root" privileges on Solaris x86 systems. The Xprt server runs with "gid root" privileges on both SPARC and x86 systems.
This issue is described in the following documents:
CVE CAN-2004-0083 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083
CVE CAN-2004-0084 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
This issue can occur in the following releases:
Note: Solaris 10 is not affected by this issue.
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, do the following:
1. To remove the setuid(2) and/or setgid(2) bit from Xsun and Xprt, the following command can be run as "root":
# chmod 0755 /usr/openwin/bin/Xsun /usr/openwin/bin/Xprt
2. To configure dtlogin not to run Xsun as "root", copy "/usr/dt/config/Xservers" to "/etc/dt/config/Xservers" and change the following line from:
:0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner
:0 Local local_uid@console nobody /usr/openwin/bin/Xsun :0 -nobanner
WARNING: Performing the above procedure will disable:
This issue is addressed in the following releases:
This solution has no attachment