Note: This is an archival copy of Security Sun Alert 200299 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000224.1.
Article ID : 1000224.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-07-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability In the Multilanguage Environment Library "libmle" Shipped with the Japanese Locale

Category
Security

Release Phase
Resolved

Product
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4468138

Date of Resolved Release
25-JUL-2005

Impact

A security vulnerability in the multilanguage environment library, "libmle" (shipped with the Japanese locale) may allow a local unprivileged user to be able to execute arbitrary code or commands with elevated privileges. The code or commands executed by the user would run with the privileges of the application dynamically linked to the libmle library.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 111646-01
  • Solaris 8 without patch 111647-01

Notes:

  1. Solaris 9 and Solaris 10 are not affected by this issue.
  2. Solaris on the x86 platform is not affected by this issue.
  3. Systems without the SUNWjbcp package are not affected by this issue. The SUNWjbcp package includes libraries and input method systems to run Japanese SunOS 4.x binaries on Solaris 2.x. The Solaris installer installs the SUNWjbcp package if the user instructs the installer to install one or more Japanese locales.
  4. Running any BCP applications that are linked with the Japanese BCPlibmle library and which have the "set user ID bit" (suid) or the "setgroup ID bit" (sgid), or which run as root and accept input from non-privileged users, may allow this vulnerability to be exploited. This includes the "kkcv" and "ccv" daemon processes, meaning that systems with one or both of these processes running are at risk. The Japanese BCP libmle library and the "kkcv" and "ccv" daemons are included in the SUNWjbcp package.  

To check if the SUNWjbcp package is installed, the following command can be run:

    $ pkginfo SUNWjbcp
    system      SUNWjbcp Japanese (EUC) SunOS 4.x Binary Compatibility

To check if "/usr/4lib/libmle.so" is a link to the Japanese BCP libmle library, the "file -h" command can be run as in the following example:

    $ file -h /usr/4lib/libmle.so*
    /usr/4lib/libmle.so.1.4:    symbolic link to locale/ja/libmle.so.1.4

To check if an application is linked with the BCP libmle library, the ldd(1) command can be used. In the output, a line listing "/usr/4lib/libmle.so" indicates that the application uses the BCP libmle library and is a BCP application.

To check if the kkcv or ccv processes are running, both of which can be vulnerable to this issue, the following command can be run:

    $ ps -fe | egrep 'kkcv|ccv'

Symptoms

There are no symptoms that would indicate the described issue has been exploited to gain unauthorized root access to a system.


Workaround

If programs that are compiled on Japanese SunOS 4.x will not be used on the system, the SUNWjbcp package can be removed with the following command:

    # pkgrm SUNWjbcp

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 111646-01 or later
  • Solaris 8 with patch 111647-01 or later


References

111646-01
111647-01




Attachments
This solution has no attachment