Note: This is an archival copy of Security Sun Alert 234661 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019091.1.
Article ID : 1019091.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-12-05
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Solaris 10 Java Desktop System (JDS) XscreenSaver(1) Application May Allow Unauthorized Access to Data



Category
Security

Release Phase
Resolved

Bug Id
6610282

Product
Solaris 10 Operating System

Date of Resolved Release
12-Mar-2008

A Security vulnerability exists in the XscreenSaver(1) application (see below for details):

1. Impact

A Security vulnerability exists in the XscreenSaver(1) application in the
Solaris 10 Java Desktop System (JDS) when the GNOME On-Screen Keyboard (GOK)
is being used. This may allow users to bypass authentication to the XscreenSaver
process and gain unauthorized access to data.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
  • Solaris 10 without patch 120094-16
x86 Platform
  • Solaris 10 without patch 120095-16
Note : Solaris 8 and Solaris 9 are not affected by this issue.

3. Symptoms

Should the described issue occur, the xscreensaver process may crash. If the
affected system has been configured to save core(4) files, the following stack
trace may be seen:

libc.so.1`kill+8(b, 0, 0, 0, 72400, 0)
libc.so.1`__sighndlr+0xc(b, 0, ffbfeba8, 1b448, 0, 0)
libc.so.1`call_user_handler+0x3b8(b, 0, 10, 0, ff3a2000, ffbfeba8)
libgconf-2.so.4.1.0`set_engine+4(0, 8f680, 0, fed59c00, fed59800, fed59800)
libgconf-2.so.4.1.0`gconf_client_get_default+0x124(0, ff33a9f0, 0, 1ee00,
10b4, fee45118)
main_loop+4(ffbff150, 10, 5a0, 63400, 44400, ffbff154)
main+0x430(1, 42c00, 1, 2, 1, 0)
_start+0x108(0, 0, 0, 0, 0, 0)

4. Workaround

There is no workaround for this issue, please see the resolution section below.

5. Resolution

This issue is addressed in the following releases:
SPARC Platform
  • Solaris 10 with patch 120094-16 or later
x86 Platform
  • Solaris 10 with patch 120095-16 or later
For more information on Security Sun Alerts, see

References

120094-16
120095-16

References

SUNPATCH:120094-16
SUNPATCH:120095-16



Attachments
This solution has no attachment