Note: This is an archival copy of Security Sun Alert 239006 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019380.1.
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Multiple Security Vulnerabilities in the FreeType2 library for Printer Font Binary (PFB) or TrueType Font (TTF) format font files may lead to a Denial of Service (DoS) or allow Execution of Arbitrary Code
Multiple security vulnerabilities exist in the FreeType 2 library in Solaris when parsing Printer Font Binary (PFB) or TrueType Font (TTF) format font files. These vulnerabilites may allow a local unprivileged user to either cause an application using FreeType 2 as a font service to crash or to execute arbitrary commands with the privileges of the application. The ability to crash an application is a type of Denial of service (DoS).
These issues are described in the following documents:
CVE-2008-1806 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1806
CVE-2008-1807 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1807
CVE-2008-1808 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1808
2. Contributing Factors
These issues can occur in the following releases:
1. Only OpenSolaris installations including the affected binary "/usr/lib/libfreetype.so.6" are impacted by this issue.
2. OpenSolaris distributions may include additional bug fixes above and beyond the base build from which it was derived. The base build can be derived as follows:
$ uname -a
3. Applications are impacted only if they link to the FreeType 2 library (libfreetype). A partial test to check if an application links with a library such as libfreetype is to use ldd(1):
$ ldd /usr/bin/fc-cache | grep libfreetype
4. A comprehensive test to check if an application links with a library such as libfreetype requires the use of pldd(1) against the running application since ldd(1) does not list any shared objects explicitly attached using dlopen(3C). For example:
$ pldd `pgrep fc-cache` | grep libfreetype
There are no predictable symptoms that would indicate that these issues have been exploited to execute arbitrary code.
The Xorg(1) X server is a privileged application available in OpenSolaris, Solaris 10, and Solaris 9 (x86 systems only) which links to the libfreetype library. In order to prevent these issues from being exploited against the Xorg(1) X server to execute arbitrary commands with the privileges of the Xorg(1) X server, the setuid(2) bit on x86 systems and the setgid(2) bit on SPARC systems can be removed. For example:
# chmod 0755 /usr/X11/bin/Xorg
On x86 systems running Solaris 10 Update 4 or later:
# chmod 0755 /usr/X11/bin/i386/Xorg /usr/X11/bin/amd64/Xorg
Similar chmod(1) commands can be applied on any setuid(2) or setgid(2) application that links to the Free Type library (libfreetype).
Note 1: Removing the setuid(2) bit or the setgid(2) bit from the Xorg binary will disable the following:
Note 2: There is no workaround to prevent these issues from being exploited to cause a Denial of Service to the X Server.
Note 3: Local users on the console of a system using an X display manager and Sun Ray users may still be able to exploit these vulnerabilities to execute arbitrary commands with elevated privileges even if the setuid(2) and setgid(2) permissions have been removed from the Xorg(1) binary.
These issues are addressed in the following releases:
For more information on Security Sun Alerts, see 1009886.1.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
notification may only be used for the purposes contemplated by these
12-Aug-2008: Updated Contributing Factors and Resolution sections; now Resolved
This solution has no attachment