Note: This is an archival copy of Security Sun Alert 201649 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001228.1.
Article ID : 1001228.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-04-14
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Security Vulnerabilities in Xsun and Xprt Server Font Handling

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4995611, 4989547

Date of Resolved Release
18-APR-2005

Impact

Xsun(1), the Solaris server for X Version 11, and Xprt(1), the Solaris print server for X Version 11, contain multiple buffer overflows in the handling of the "font.alias" file which may allow a local unprivileged user to execute arbitrary code with the privileges of the Xsun or Xprt server. The Xsun server runs with "gid root" privileges on Solaris SPARC systems and "uid root" privileges on Solaris x86 systems. The Xprt server runs with "gid root" privileges on both SPARC and x86 systems.

This issue is described in the following documents:

CVE CAN-2004-0083 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083

CVE CAN-2004-0084 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 7 without patch 108376-45
  • Solaris 8 without patch 108652-80
  • Solaris 9 without patch 112785-34

x86 Platform

  • Solaris 7 without patch 108377-40
  • Solaris 8 without patch 108653-69
  • Solaris 9 without patch 112786-36

Note: Solaris 10 is not affected by this issue.


Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.


Workaround

To work around the described issue, do the following:

  1. Remove the setuid(2) and/or setgid(2) bit from Xsun and Xprt
  2. Configure dtlogin(1X) not to run Xsun as "root"

1. To remove the setuid(2) and/or setgid(2) bit from Xsun and Xprt, the following command can be run as "root": 

    # chmod 0755 /usr/openwin/bin/Xsun /usr/openwin/bin/Xprt

2. To configure dtlogin not to run Xsun as "root", copy "/usr/dt/config/Xservers" to "/etc/dt/config/Xservers" and change the following line from: 

    :0   Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner

to 

    :0   Local local_uid@console nobody /usr/openwin/bin/Xsun :0 -nobanner

WARNING: Performing the above procedure will disable:

  • all ability to run Xsun on Solaris x86
  • power management and Interactive Process Priority control on Solaris SPARC
  • Sun Ray support
  • Xsun and Xprt ability to open Unix domain sockets and named pipe transports in the protected /tmp/.X11-* directories

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 108376-45 or later
  • Solaris 8 with patch 108652-80 or later
  • Solaris 9 with patch 112785-34 or later

x86 Platform

  • Solaris 7 with patch 108377-40 or later
  • Solaris 8 with patch 108653-69 or later
  • Solaris 9 with patch 112786-36 or later


Modification History

References
 108376-45

 108652-80

 112785-34

 108377-40

 108653-69

 112786-36



                                                                                           


Attachments
This solution has no attachment