Note: This is an archival copy of Security Sun Alert 230213 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1018535.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A security vulnerability in the Xsun(1) and Xorg(1) X servers may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xsun(1) or Xorg(1) X server due to an integer overflow in the X Pixmap (Xpm) format image file creation routines.
This issue is described in the following document:
This issue can occur in the following releases:
Note: The Xorg(1) X server only ships on the x86 platform for Solaris 9 with the Sun Java Desktop System (JDS) release 2 installed, and on Solaris 10.
To determine if JDS release 2 is installed on a Solaris 9 x86 system, the following command can be run:
% grep distributor-version /usr/share/gnome-about/gnome-version.xml <distributor-version>Sun Java Desktop System, Release 2</distributor-version>
There are no predictable symptoms that would indicate the described issue has been exploited.
To work around the described issue, remove the setuid(2) and/or setgid(2) bit from Xsun(1) and Xorg(1).
Note: Performing the above procedure will disable the following:
1. The ability to start either the Xsun(1) or Xorg(1) server from the command line for non-root users on the Solaris x86 platform..
2. Power Management and Interactive Process Priority control on Solaris SPARC.
3. Xsun(1) and Xorg(1) ability to open Unix domain sockets and named pipe transports in the protected "/tmp/.X11-*" directories.
Note: These features will still be available if Xsun(1) or Xorg(1) is started via display managers such as dtlogin(1) or gdm(1), however, the system would still be vulnerable to this issue.
This issue is addressed in the following releases:
This solution has no attachment