Due to multiple security vulnerabilities in the libgdk_pixbuf library, a remote unprivileged user may be able to execute arbitrary code with the privileges of a local user when that local user has loaded an XPixmap (Xpm) format image file supplied by an untrusted user.

The libgdk_pixbuf library is part of the GIMP Toolkit (GTK+) and is used for loading and rendering images.

These issues are described in the following documents:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0782
• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0783

These issues can occur in the following releases:

SPARC Platform:

• GNOME 2.0 (for Solaris 8) without patch 114644-03
• GNOME 2.0 (for Solaris 9) without patch 114686-03
• GNOME 2.0.2 (for Solaris 9) without patch 115738-04

x86 Platform

• GNOME 2.0 (for Solaris 8) without patch 114645-03
• GNOME 2.0 (for Solaris 9) without patch 114687-03
• GNOME 2.0.2 (for Solaris 9) without patch 115739-04
• Solaris 9 with JDS release 2 installed without patch 121092-01

Linux

• Sun Java Desktop System (JDS) 2003 without the updated RPMs (patch-118903-01)
• Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-118905-01)

Note: Solaris 10 is not affected by these issues.

To determine the version of GNOME that is currently installed on the system, the following command can be run (output will vary by platform):

    % grep description /usr/share/gnome/gnome-about/gnome-version.xml
    <description>fcs-10b</description> for GNOME 2.0 releases
    <description>2.0.0_patch-us2</description>

Alternatively (for the same results), in a terminal window from within the GNOME desktop, the following command can be run:

    % /usr/bin/gnome-about

To determine the release of JDS for Linux installed on a system, the following command can be run:

    % cat /etc/sun-release
    Sun Java Desktop System - 2003

To determine if JDS release 2 is installed on a Solaris 9 system, the following command can be run:

    % grep distributor-version /usr/share/gnome-about/gnome-version.xml
    <distributor-version>Sun Java Desktop System, Release 2</distributor-version>

To determine the version of GTK on JDS for Linux systems, run the following command:

    % rpm -qf /usr/lib/gtk-2.0/2.2.0/loaders/libpixbufloader-xpm.so
    gtk2-2.2.2-30

There are no reliable symptoms that would indicate the described issues have been exploited.

To work around the described issues, do not load XPixmap (Xpm) images from untrusted sources.

These issues are addressed in the following releases:

SPARC Platform

• GNOME 2.0 (for Solaris 8) with patch 114644-03 or later
• GNOME 2.0 (for Solaris 9) with patch 114686-03 or later
• GNOME 2.0.2 (for Solaris 9)with patch 115738-04 or later

x86 Platform

• GNOME 2.0 (for Solaris 8) with patch 114645-03 or later
• GNOME 2.0 (for Solaris 9) with patch 114687-03 or later
• GNOME 2.0.2 (for Solaris 9) with patch 115739-04 or later
• Solaris 9 with patch 121092-01 or later

Linux

• Sun Java Desktop System (JDS) 2003 with the updated RPMs (patch-118903-01)
• Sun Java Desktop System (JDS) Release 2 with the updated RPMs (patch-118905-01)

To download and install the updated RPMs from the update servers, select the following sequence from the "launch" bar:

    Launch >> Applications >> System Tools >> Online Update

For more information on obtaining RPM updates, see:

• http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5
• http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7

• State: Resolved
• Updated Contributing Factors and Relief/Workaround sections

• Updated Contributing Factors and Resolution sections

This solution has no attachment