Note: This is an archival copy of Security Sun Alert 201752 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001292.1.
Article ID : 1001292.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-03-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Two Integer Overflow Vulnerabilities Found in the Xorg(1) X Server

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System

Bug Id
6464170, 6464172

Date of Workaround Release
23-JAN-2007

Date of Resolved Release
08-MAR-2007

Impact

Two integer overflows, one in the CIDAFM() function and one in the scan_cidfont() function, have been found in the Xorg X server (see Xorg(1)) which may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xorg server. The Xorg X server runs with root privileges on Solaris.

These issues are described in the following documents:

CVE-2006-3739 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739

CVE-2006-3740 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740

iDefense Multiple Vendor X Server CID-keyed Fonts 'CIDAFM()' Integer Overflow Vulnerability at: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=412

Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability at: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411


Contributing Factors

These issues can occur in the following releases:

x86 Platform

  • Solaris 9 without patch 124833-01
  • Solaris 10 without patch 119062-02

Notes:

  1. Solaris 8 on the x86 platform is not affected by this issue.
  2. Solaris on the SPARC platform is not affected by this issue.
  3. Solaris 9 on the x86 platform does not ship with the Xorg X server by default but is present if the unbundled Sun Java Desktop System (JDS) Release 2 was downloaded and installed.

To determine if JDS Release 2 is installed on a Solaris 9 x86 system, the following command can be run:

    $ grep distributor-version /usr/share/gnome-about/gnome-version.xml
    <distributor-version>Sun Java Desktop System, Release 2</distributor-version>

4. The described issues only occur on systems with the SUNWxorg packages installed. To determine if the SUNWxorg packages are installed on the system, the following command can be used:

    $ pkginfo SUNWxorg-server
    system SUNWxorg-server X.Org Foundation Xserver

    


Symptoms

There are no predictable symptoms that would indicate the described issues have been exploited to execute arbitrary commands with root privileges.


Workaround

To work around the described issues until the patch can be applied, the following entry for the Type 1 font module can be removed or commented out (by inserting a '#' at the beginning line) from the xorg.conf(4) file:

    Load "type1"

Note: After applying this workaround, applications which require Type 1 fonts may not display the text properly.


Resolution

These issues are addressed in the following releases:

x86 Platform

  • Solaris 9 with patch 124833-01 or later
  • Solaris 10 with patch 119062-02 or later


Modification History
Date: 08-MAR-2007

08-Mar-2007:

  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

119062-02
124833-01




Attachments
This solution has no attachment