Note: This is an archival copy of Security Sun Alert 200256 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000201.1.
Article ID : 1000201.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2004-12-14
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the kcms_configure(1) Command May Allow Local Users the Ability to Modify Any File on the System

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
5040882

Date of Resolved Release
18-FEB-2005

Impact

A security vulnerability in the kcms_configure(1) command may allow local unprivileged users the ability to modify any file on the system. This can result in a Denial of Service (DoS) or possibly elevated privileges.

Note: kcms_configure is part of the Kodak Color Management System (KCMS) which configures an X11 window system for use with the KCMS library.

This issue is described in CAN-2004-0481 (see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0481)

Sun acknowledges with thanks, iDEFENSE (http://www.idefense.com), for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 107337-04
  • Solaris 8 without patch 111400-03
  • Solaris 9 without patch 114636-03

x86 Platform

  • Solaris 7 without patch 107339-04
  • Solaris 8 without patch 111401-03
  • Solaris 9 without patch 114637-03

Note: Solaris 10 is not affected by this issue.


Symptoms

There are no reliable symptoms that would indicate the described issue has been exploited.


Workaround

If KCMS is not being used, the setuid(2) permissions on the kcms_configure(1) binary could be removed by running the following command as the root (uid 0) user: 

    # chmod u-s /usr/openwin/bin/kcms_configure

The KCMS packages below could also be removed by using the pkgrm(1M) command as root user:

Core KCMS packages: 

    application SUNWkcslx   KCMS Runtime Library (64-bit)
application SUNWkcspf   KCMS Optional Profiles
application SUNWkcspg   KCMS Programmers Environment
application SUNWkcspx   KCMS Programmers Environment (64-bit)
system      SUNWkcsrl   KCMS Runtime Library Support
system      SUNWkcsrr   KCMS Runtime Profiles
application SUNWkcsrt   KCMS Runtime Environment
application SUNWkcsrx   KCMS Runtime Environment (64-bit)

Translated KCMS packages: 

    ALE         SUNWckcsr   Simplified Chinese (EUC) KCMS Runtime Environment
application SUNWdkcsr   German KCMS Runtime Environment
application SUNWekcsr   Spanish KCMS Runtime Environment
application SUNWfkcsr   French KCMS Runtime Environment
ALE         SUNWhkcsr   Traditional Chinese (EUC) KCMS Runtime Environment
application SUNWikcsr   Italian KCMS Runtime Environment
application SUNWjkcsr   Japanese KCMS Runtime Environment
ALE         SUNWkkcsr   Korean (EUC) KCMS Runtime Environment
application SUNWskcsr   Swedish KCMS Runtime Environment

For example: 

    # pkgrm SUNWkcslx SUNWkcspf SUNWkcspg SUNWkcspx SUNWkcsrl SUNWkcsrr \
SUNWkcsrt SUNWkcsrx SUNWckcsr SUNWdkcsr SUNWekcsr SUNWfkcsr SUNWhkcsr \
SUNWikcsr SUNWjkcsr SUNWkkcsr SUNWskcsr

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 107337-04 or later
  • Solaris 8 with patch 111400-03 or later
  • Solaris 9 with patch 114636-03 or later

x86 Platform

  • Solaris 7 with patch 107339-04 or later
  • Solaris 8 with patch 111401-03 or later
  • Solaris 9 with patch 114637-03 or later


Modification History

References
 114636-03

 114637-03

 107339-04

 111401-03

 107337-04

 111400-03



                                                                                                   


Attachments
This solution has no attachment