Note: This is an archival copy of Security Sun Alert 201542 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001150.1.
Article ID : 1001150.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-07-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in libX11 for Solaris

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6542279

Date of Workaround Release
24-APR-2007

Date of Resolved Release
25-JUL-2007

Impact

A buffer overflow vulnerability in libX11 may allow a local unprivileged user to be able to execute arbitrary code or commands with elevated privileges. The code or commands executed would run with the privileges of the application dynamically linked to the libX11 library. A number of programs shipped in Solaris and by third parties dynamically link with the libX11 library and run with elevated privileges. Applications that call XInitImage() with user-controllable parameters may be vulnerable, such as xwud(1) and ImageMagick, when loading X Window Dump (xwd) files with incorrect parameters.

This issue is described in the following documents:

CVE-2007-1667 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 119067-08
  • Solaris 9 without patch 112785-62
  • Solaris 10 without patch 119059-26

x86 Platform

  • Solaris 8 without patch 119068-08
  • Solaris 9 without patch 112786-51
  • Solaris 10 without patch 119060-25

Notes:

1) To determine if an application is linked against the libX11 library, the ldd(1) utility can be used as in the following example:

    $ ldd /path/to/application | grep libX11 || echo "application not affected"

If output similar to the following is seen:

    libX11.so.4 =>   /usr/openwin/lib/libX11.so.4

then the application links to libX11 and may be affected by this issue.

2) To determine if an application uses the XInitImage(3X11) function the nm(1) command can be used if the application binary has not been stripped using strip(1). The file(1) command will report if a binary has been stripped. For example:

    $ file /usr/openwin/bin/xwud
    /usr/openwin/bin/xwud:  ELF 32-bit LSB executable 80386 Version 1 [FPU],
    dynamically linked, not stripped, no debugging information available
    $ nm /usr/openwin/bin/xwud | grep XInitImage
    [61]    | 134550036|         0|FUNC |GLOB |0    |UNDEF  |XInitImage

Alternatively, the truss(1) utility can be used to determine if an application calls the XInitImage() function. For example:

    $ truss -f -t\!all -ulibX11:XInitImage: xwud -in file.xwd
    28243/1@1:      -> libX11:XInitImage(0x8047888)
    28243/1@1:      <- libX11:XInitImage() = 1

Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privileges on a system.


Workaround

To avoid this issue, do not load X11 Window dump files from untrusted sources.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 119067-08 or later
  • Solaris 9 with patch 112785-62 or later
  • Solaris 10 with patch 119059-26 or later

x86 Platform

  • Solaris 8 with patch 119068-08 or later
  • Solaris 9 with patch 112786-51 or later
  • Solaris 10 with patch 119060-25 or later


Modification History
Date: 11-JUL-2007
  • Updated Contributing Factors and Resolution sections

Date: 25-JUL-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

119059-26
119060-25
112785-62
112786-51
119067-08
119068-08




Attachments
This solution has no attachment