Note: This is an archival copy of Security Sun Alert 201650 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001229.1.
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Several security vulnerabilities have been reported in the X Pixmap (libXpm) library which also affect the Motif library (libXm) shipped with Solaris and JDS for Linux since libXm includes the affected libXpm routines. These security vulnerabilities may allow a remote unprivileged user to execute arbitrary code with the privileges of a local user if that user loads an X Pixmap (.xpm) format image file from an untrusted source with an application that is linked with the Motif library (libXm).
Note: The Motif library (libXm) can be used to manipulate and display small images in Motif applications.
This issue is also described in the following documents:
Chris Evans Security Advisory (CESA) 2004.003 at http://scary.beasts.org/security/CESA-2004-003.txt
CAN-2004-0687 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687
CAN-2004-0688 at http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688
This issue can occur in the following releases:
To determine if a Solaris application is linked with the libXm library, the ldd(1) can be utilized. For example:
$ ldd /usr/dt/bin/uil | grep libXm.so libXm.so.4 => /usr/dt/lib/libXm.so.4
To determine if a Linux application is linked with the libXm library, the ldd(1) utility can be utilized. For example:
$ ldd /usr/X11R6/bin/uil | grep libXm libXm.so.3 => /usr/X11R6/lib/libXm.so.3 (0x40033000)
To determine the release of JDS for Linux installed on a system, the following command can be run:
% cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004
To determine the version of Open Motif, the following command can be run:
% rpm -qf /usr/X11R6/lib/libXm.so.3 openmotif-2.2.2-522
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, do not load X PixMap (.xpm) images from untrusted sources.
This issue is resolved in the following releases:
To download and install the updated RPMs from the update servers, select the following from the "launch" bar:
Launch >> Applications >> System Tools >> Online Update
This solution has no attachment