Note: This is an archival copy of Security Sun Alert 200156 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000113.1.
Article ID : 1000113.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-04-10
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Buffer Overflow in XView

Category
Security

Release Phase
Resolved

Product
Solaris 2.5
Solaris 2.4
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4458476

Date of Workaround Release
27-JUN-2001

Date of Resolved Release
11-APR-2003

Impact

Local users may be able to gain unauthorized root access, due to a buffer overflow in the XView library.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.4
  • Solaris 2.5
  • Solaris 2.5.1
  • Solaris 2.6 without patch 106331-05
  • Solaris 7 without patch 107374-02
  • Solaris 8 without patch 111626-01

x86 Platform

  • Solaris 2.4
  • Solaris 2.5
  • Solaris 2.5.1
  • Solaris 6 without patch 106353-05
  • Solaris 7 without patch 107375-02
  • Solaris 8 without patch 111627-01

Notes:

Only systems with XView applications that have the "set user ID bit" (suid) or the "set group ID bit" (sgid) set are at risk.

To check if an application has the "set user ID bit" or the "set group ID bit" set use the "ls -l" command. In the output an "s" in the user or group permissions will indicate a "set user ID bit" or "set group ID bit" respectively: 

	% ls -l testapp
	-r-sr-sr-x   5 root

To check if an application is an XView application, use the "ldd" command. In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.

The find and xargs command can also be used to look for XView applications that are set user or set group id. For example, to check the /usr/openwin directory for such applications, use the command: 

	% find /usr/openwin/ \( -perm -4000 -o -perm -2000  \) -print | xargs ldd

In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.

The issue described in this document can only be exploited by users already having an account on the affected system.


Symptoms

There are no symptoms that would show the described issue has already been exploited to gain unauthorized root access to a system.


Workaround

As a possible workaround the set user or set group bit of all affected XView applications might be removed using the "chmod" command. Removing the set user or set group bit of an application might keep it from functioning as expected.

The following application that is supplied with Solaris is potentially affected by the described issue: 

	/usr/openwin/bin/mailtool

Resolution

SPARC Platform

  • Solaris 6 with patch 106331-05 or later
  • Solaris 7 with patch 107374-02 or later
  • Solaris 8 with patch 111626-01 or later

x86 Platform

  • Solaris 6 with patch 106353-05 or later
  • Solaris 7 with patch 107375-02 or later
  • Solaris 8 with patch 111627-01 or later

Note: Solaris 2.4, 2.5, 2.5.1 will require an upgrade to a later release.



Modification History
Date: 17-OCT-2001
  • Updated Contributing Factors and Resolution patch list

Date: 11-APR-2003
  • State Resolved
  • Updated Contributing Factors and Resolution sections



References

107374-02
111626-01
107375-02
111627-01
106353-05
106331-05




Attachments
This solution has no attachment