Note: This is an archival copy of Security Sun Alert 201752 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001292.1.
Article ID : 1001292.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-03-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Two Integer Overflow Vulnerabilities Found in the Xorg(1) X Server


Release Phase

Solaris 9 Operating System
Solaris 10 Operating System

Bug Id
6464170, 6464172

Date of Workaround Release

Date of Resolved Release


Two integer overflows, one in the CIDAFM() function and one in the scan_cidfont() function, have been found in the Xorg X server (see Xorg(1)) which may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xorg server. The Xorg X server runs with root privileges on Solaris.

These issues are described in the following documents:

CVE-2006-3739 at:

CVE-2006-3740 at:

iDefense Multiple Vendor X Server CID-keyed Fonts 'CIDAFM()' Integer Overflow Vulnerability at:

Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability at:

Contributing Factors

These issues can occur in the following releases:

x86 Platform

  • Solaris 9 without patch 124833-01
  • Solaris 10 without patch 119062-02


  1. Solaris 8 on the x86 platform is not affected by this issue.
  2. Solaris on the SPARC platform is not affected by this issue.
  3. Solaris 9 on the x86 platform does not ship with the Xorg X server by default but is present if the unbundled Sun Java Desktop System (JDS) Release 2 was downloaded and installed.

To determine if JDS Release 2 is installed on a Solaris 9 x86 system, the following command can be run:

    $ grep distributor-version /usr/share/gnome-about/gnome-version.xml
    <distributor-version>Sun Java Desktop System, Release 2</distributor-version>

4. The described issues only occur on systems with the SUNWxorg packages installed. To determine if the SUNWxorg packages are installed on the system, the following command can be used:

    $ pkginfo SUNWxorg-server
    system SUNWxorg-server X.Org Foundation Xserver



There are no predictable symptoms that would indicate the described issues have been exploited to execute arbitrary commands with root privileges.


To work around the described issues until the patch can be applied, the following entry for the Type 1 font module can be removed or commented out (by inserting a '#' at the beginning line) from the xorg.conf(4) file:

    Load "type1"

Note: After applying this workaround, applications which require Type 1 fonts may not display the text properly.


These issues are addressed in the following releases:

x86 Platform

  • Solaris 9 with patch 124833-01 or later
  • Solaris 10 with patch 119062-02 or later

Modification History
Date: 08-MAR-2007


  • Updated Contributing Factors and Resolution sections
  • State: Resolved



This solution has no attachment