Multiple Integer Overflow Vulnerabilities in the X Font Server (xfs(1)) and the X Render and DBE Extensions

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
4915967, 6502073, 6504408

Date of Workaround Release
13-FEB-2007

Date of Resolved Release
31-MAY-2007

Impact

Multiple security vulnerabilities in the X Font Server (xfs(1)) and the X Render and DBE extensions, which are part of the X11 servers Xsun(1) and Xorg(1), may allow a local or remote unprivileged user to elevate their privileges to root and execute arbitrary code resulting in memory corruption or a Denial of Service (DoS) condition.

These issues are described in the following documents:

CVE-2003-0730 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0730

CVE-2006-6101 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6101

CVE-2006-6102 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6102

CVE-2006-6103 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6103

iDefense Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption Vulnerability at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=463

iDefense Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vulnerability at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=464

iDefense Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vulnerability at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=465

Contributing Factors

These issues can occur in the following releases:

SPARC Platform

Solaris 8 without patch 119067-06 and 109862-04
Solaris 9 without patch 112785-60 and 113923-03
Solaris 10 without patch 119059-21

x86 Platform

Solaris 8 without patch 119068-06 and 109863-04
Solaris 9 without patch 112786-49 and 113924-03
Solaris 9 without patch 118908-03 (for Xorg(1))
Solaris 10 without patch 119060-20 and 118966-25
Solaris 10 without patch 125720-03 (for Xorg(1))

Note: The Xorg(1) X11 server is only affected by BugID 6504408. The Xsun(1) X11 server is affected by BugsIDs 4915967 and 6502073.

Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited.

Workaround

BugID 6504408:

This workaround is applicable on the x86 platform running Xorg(1) server:

In the "xorg.conf" file, located in "/etc/X11", remove the following lines from the "Module" section:

    Load "render"
    Load "dbe"

Note: This will prevent the Render and the DBE extension from loading, which may affect the appearance or operation of some applications.

BugID 4915967:

BugID 4915967 is fixed in the Solaris 9 patch revisions 112785-59 and 112786-48, and in the Solaris 10 patch revisions 119059-16 and 119060-15.

Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 8 with patch 119067-06 or later and 109862-04 or later
Solaris 9 with patch 112785-60 or later and 113923-03 or later
Solaris 10 with patch 119059-21 or later

x86 Platform

Solaris 8 with patch 119068-06 or later and 109863-04 or later
Solaris 9 with patch 112786-49 or later and 113924-03 or later
Solaris 9 with patch 118908-03 or later (for Xorg(1))
Solaris 10 with patch 119060-20 or later and 118966-25 or later
Solaris 10 with patch 125720-03 or later (for Xorg(1))

Modification History
Date: 26-FEB-2007

Updated Contributing Factors and Resolution sections

Date: 08-MAR-2007

Updated Contributing Factors and Resolution sections

Date: 29-MAY-2007

Updated Contributing Factors and Resolution sections

Date: 31-MAY-2007

State: Resolved
Updated Contributing Factors and Resolution sections

References

119067-06
109862-04
119068-06
109863-04
119059-21
119060-20
112785-60
113923-03
112786-49
113924-03
118966-25
125720-03
118908-03

Attachments

This solution has no attachment