Note: This is an archival copy of Security Sun Alert 230901 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1018961.1.
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Security Vulnerability in the Solaris X Server May Lead to Unauthorized Disclosure of Information on Access Restricted Files and Directories (see below for full details)
A Security vulnerability in the Solaris X11 display server (Xorg(1) and Xsun(1)) and the Solaris X11 print server (Xprt(1)), related to the handling of command line options may allow a local unprivileged user to determine the existence of files or directories in access restricted directories. The ability to gather information on access restricted files or directories indicates a loss of confidentiality.
This issue is described in the following document:
2. Contributing Factors
These issues can occur in the following releases:
There are no predictable symptoms that would indicate the described issue has occurred.
To work around the described issue, remove the setuid(2) and/or setgid(2) bit from Xsun, Xorg and Xprt. To remove the setuid(2) and/or setgid(2) bit from Xsun, Xorg and Xprt, the following commands can be run as "root":
# chmod 0755 /usr/openwin/bin/Xsun /usr/openwin/bin/Xprt
Note: Not all of the above binaries may be found on all systems.
Warning: When Xsun, Xorg and Xprt are ran directly or from xinit, removing the setuid/setgid bits from these binaries will disable:
Note: dtlogin(1X) and gdm(1m) will not be affected and will still be able to start with the privileges of the "root" user.
This issue is addressed in the following releases:SPARC Platform
For more information on Security Sun Alerts, see Sun 1009886.1.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
06-Feb-2008: Update Contributing Factors and Resolution sections - STATE: RESOLVED
18-Jan-2007: Update Contributing Factors, Relief/Workaround, and Resolution sections.
This solution has no attachment