Note: This is an archival copy of Security Sun Alert 200428 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000310.1. |
Category Security Release Phase Resolved Solaris 9 Operating System Solaris 10 Operating System Sun Java Desktop System Release 2 Sun Java Desktop System 2003 Bug Id 6257383, 6345703 Date of Resolved Release 23-NOV-2005 Impact A security vulnerability in the libexif JPEG image processing library may allow a remote unprivileged user who provides a carefully crafted JPEG image the ability to execute arbitrary code with the privileges of a local user who opens that image. Furthermore, a remote user may be able to create a Denial of Service (DOS) attack by using a carefully crafted JPEG image. This issue may occur with applications linked against the libexif library, including (but not limited to), the Eye of Gnome (eog) application, which is distributed as part of the Java Desktop System. Note: Most digital cameras produce EXIF files, which are Joint Photographic Experts Group (JPEG) files with extra tags that contain information about the image. The EXIF library allows you to parse an EXIF file and read the data from those tags. This issue is described in the following documents:
Contributing Factors This issue can occur in the following releases: SPARC Platform
x86 Platform
Linux
Note: Solaris 8 and Solaris 9 are not affected by this issue. The described issue only occurs on JDS for Linux with libexif versions libexif-0.5.3-91 or earlier. To determine if libexif is installed on a Solaris system, the following command can be used: % pkginfo SUNWlibexif GNOME2 SUNWlibexif libexif To determine the release of JDS for Linux installed on a system, the following command can be used: % cat /etc/sun-release Sun Java Desktop System, Release 2 -build 10b (GA) Assembled 30 March 2004 To determine the version of libexif installed on a JDS for Linux system, the following command can be run: % rpm -qf /usr/lib/libexif.so.5 libexif-0.5.3-91
Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. Workaround To avoid the described issue, do not load JPEG images from untrusted sources. Resolution This issue is addressed in the following releases: SPARC Platform
x86 Platform
Linux
To download and install the updated RPMs from the update servers, select the following sequence from the "launch" menu: Launch >> Applications >> System Tools >> Online Update For more information on obtaining updates see:
Note: Sun Java Desktop System (JDS) release 2003 is no longer supported and will require an upgrade to a later release with the associated patches installed to address this issues. References121093-01121095-01 121096-01 Attachments This solution has no attachment |
|