Note: This is an archival copy of Security Sun Alert 230213 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1018535.1.
Article ID : 1018535.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-09-25
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Xsun(1) and Xorg(1) Servers

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6316436, 6316438

Date of Workaround Release
15-SEP-2005

Date of Resolved Release
10-FEB-2006

Impact

A security vulnerability in the Xsun(1) and Xorg(1) X servers may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xsun(1) or Xorg(1) X server due to an integer overflow in the X Pixmap (Xpm) format image file creation routines.

This issue is described in the following document:


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 108652-94 (for Xsun(1))
  • Solaris 9 without patch 112785-52 (for Xsun(1))
  • Solaris 10 without patch 119059-08 (for Xsun(1))

x86 Platform

  • Solaris 8 without patch 108653-83 (for Xsun(1))
  • Solaris 9 without patch 112786-41 (for Xsun(1))
  • Solaris 9 without patch 118908-02 (for Xorg(1))
  • Solaris 10 without patch 119060-08 (for Xsun(1))
  • Solaris 10 without patch 118966-09 (for Xorg(1))

Note: The Xorg(1) X server only ships on the x86 platform for Solaris 9 with the Sun Java Desktop System (JDS) release 2 installed, and on Solaris 10.

To determine if JDS release 2 is installed on a Solaris 9 x86 system, the following command can be run:

    % grep distributor-version /usr/share/gnome-about/gnome-version.xml
    <distributor-version>Sun Java Desktop System, Release 2</distributor-version>

 


Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.


Workaround

To work around the described issue, remove the setuid(2) and/or setgid(2) bit from Xsun(1) and Xorg(1).

Note: Performing the above procedure will disable the following:

1. The ability to start either the Xsun(1) or Xorg(1) server from the command line for non-root users on the Solaris x86 platform..

2. Power Management and Interactive Process Priority control on Solaris SPARC.

3. Xsun(1) and Xorg(1) ability to open Unix domain sockets and named pipe transports in the protected "/tmp/.X11-*" directories.

Note: These features will still be available if Xsun(1) or Xorg(1) is started via display managers such as dtlogin(1) or gdm(1), however, the system would still be vulnerable to this issue.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 108652-94 or later (for Xsun(1))
  • Solaris 9 with patch 112785-52 or later (for Xsun(1))
  • Solaris 10 with patch 119059-08 or later (for Xsun(1))

x86 Platform

  • Solaris 8 with patch 108653-83 or later (for Xsun(1))
  • Solaris 9 with patch 112786-41 or later (for Xsun(1))
  • Solaris 9 with patch 118908-02 or later (for Xorg(1))
  • Solaris 10 with patch 119060-08 or later (for Xsun(1))
  • Solaris 10 with patch 118966-09 or later (for Xorg(1))


Modification History
Date: 19-SEP-2005

Change History

  • Updated Contributing Factors section

Date: 24-OCT-2005
  • Updated Contributing Factors, Relief/Workaround, and Resolution sections

Date: 27-OCT-2005
  • Updated Contributing Factors, Relief/Workaround, and Resolution sections

Date: 17-NOV-2005
  • Updated Contributing Factors, Relief/Workaround, and Resolution sections

Date: 01-DEC-2005
  • Updated Contributing Factors and Relief/Workaround sections

Date: 10-FEB-2006
  • State: Resolved
  • Updated Contributing Factor Relief/Workaround and Resolution sections


References

119059-08
112786-41
119060-08
108652-94
112785-52
108653-83
118966-09
118908-02




Attachments
This solution has no attachment