Security Vulnerability in the Xsun(1) and Xorg(1) Servers |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
|
| Bug Id : | 6316436, 6316438
|
| Date of Workaround Release : | 15-SEP-2005
|
| Date of Resolved Release : | 10-FEB-2006
|
A security vulnerability in the Xsun(1) and Xorg(1) X servers may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xsun(1) or Xorg(1) X server due to an integer overflow in the X Pixmap (Xpm) format image file creation routines.
This issue is described in the following document:
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 8 without patch 108652-94 (for Xsun(1))
- Solaris 9 without patch 112785-52 (for Xsun(1))
- Solaris 10 without patch 119059-08 (for Xsun(1))
x86 Platform
- Solaris 8 without patch 108653-83 (for Xsun(1))
- Solaris 9 without patch 112786-41 (for Xsun(1))
- Solaris 9 without patch 118908-02 (for Xorg(1))
- Solaris 10 without patch 119060-08 (for Xsun(1))
- Solaris 10 without patch 118966-09 (for Xorg(1))
Note: The Xorg(1) X server only ships on the x86 platform for Solaris 9 with the Sun Java Desktop System (JDS) release 2 installed, and on Solaris 10.
To determine if JDS release 2 is installed on a Solaris 9 x86 system, the following command can be run:
% grep distributor-version /usr/share/gnome-about/gnome-version.xml
<distributor-version>Sun Java Desktop System, Release 2</distributor-version>
Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
Workaround
To work around the described issue, remove the setuid(2) and/or setgid(2) bit from Xsun(1) and Xorg(1).
Note: Performing the above procedure will disable the following:
1. The ability to start either the Xsun(1) or Xorg(1) server from the command line for non-root users on the Solaris x86 platform..
2. Power Management and Interactive Process Priority control on Solaris SPARC.
3. Xsun(1) and Xorg(1) ability to open Unix domain sockets and named pipe transports in the protected "/tmp/.X11-*" directories.
Note: These features will still be available if Xsun(1) or Xorg(1) is started via display managers such as dtlogin(1) or gdm(1), however, the system would still be vulnerable to this issue.
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 8 with patch 108652-94 or later (for Xsun(1))
- Solaris 9 with patch 112785-52 or later (for Xsun(1))
- Solaris 10 with patch 119059-08 or later (for Xsun(1))
x86 Platform
- Solaris 8 with patch 108653-83 or later (for Xsun(1))
- Solaris 9 with patch 112786-41 or later (for Xsun(1))
- Solaris 9 with patch 118908-02 or later (for Xorg(1))
- Solaris 10 with patch 119060-08 or later (for Xsun(1))
- Solaris 10 with patch 118966-09 or later (for Xorg(1))
Modification HistoryDate: 19-SEP-2005
Change History
- Updated Contributing Factors section
Date: 24-OCT-2005
- Updated Contributing Factors, Relief/Workaround, and Resolution sections
Date: 27-OCT-2005
- Updated Contributing Factors, Relief/Workaround, and Resolution sections
Date: 17-NOV-2005
- Updated Contributing Factors, Relief/Workaround, and Resolution sections
Date: 01-DEC-2005
- Updated Contributing Factors and Relief/Workaround sections
Date: 10-FEB-2006
- State: Resolved
- Updated Contributing Factor Relief/Workaround and Resolution sections
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
