Note: This is an archival copy of Security Sun Alert 274030 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021706.1.
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Multiple Security Vulnerabilities in the Solaris GNOME PDF Rendering Libraries May Lead to a Denial of Service (DoS) or Execution of Arbitrary Code
Multiple integer overflow and improper memory allocation vulnerabilities have been identified in the Solaris GNOME PDF rendering libraries. These vulnerabilities may allow a local or remote unprivileged user to cause the Solaris GNOME PDF viewers (evince(1) for OpenSolaris and gpdf(1) for Solaris 10) which are linked to these libraries to crash, resulting in a Denial of Service (DoS) or arbitrary code execution with the privileges of the user running the application.
These issues are also referenced in the following documents:
CVE-2009-3603 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3603
CVE-2009-3604 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3604
CVE-2009-3605 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3605
CVE-2009-3606 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3606
CVE-2009-3607 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3607
CVE-2009-3608 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3608
CVE-2009-3609 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3609
2. Contributing Factors
These issues can occur in the following releases:
1. Solaris 8 and 9 do not ship GNOME PDF Viewer and therefore are not affected by these issues.
2. Solaris 10 is only affected by CVE-2009-3605, CVE-2009-3606 and CVE-2009-3609 vulnerabilities.
OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. To determine the base build of OpenSolaris, the following command can be used:
$ uname -v3. Symptoms
If the described issues have been exploited to cause a Denial of Service (DoS), the application which makes use of the GNOME PDF rendering libraries will crash, potentially leaving a core file depending on the system configuration. There are no predictable symptoms that would indicate these issues have been exploited to execute arbitrary code.
Until the resolution patches are available, it may be possible to work around the described issues by not opening untrusted PDF files with the GNOME PDF Viewer.
These issues are addressed in the following releases:
18-Feb-2010: Updated for pending patches
25-Feb-2010: Updated Contributing Factors and Resolution sections for patch release; now Resolved
This solution has no attachment