Two Integer Overflow Vulnerabilities Found in the Xorg(1) X Server |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 9 Operating System
Solaris 10 Operating System
|
| Bug Id : | 6464170, 6464172
|
| Date of Workaround Release : | 23-JAN-2007
|
| Date of Resolved Release : | 08-MAR-2007
|
Two integer overflows, one in the CIDAFM() function and one in the scan_cidfont() function, have been found in the Xorg X server (see Xorg(1)) which may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the Xorg server. The Xorg X server runs with root privileges on Solaris.
These issues are described in the following documents:
CVE-2006-3739 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3739
CVE-2006-3740 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3740
iDefense Multiple Vendor X Server CID-keyed Fonts 'CIDAFM()' Integer Overflow Vulnerability at: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=412
Multiple Vendor X Server CID-keyed Fonts 'scan_cidfont()' Integer Overflow Vulnerability at: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=411
Contributing Factors
These issues can occur in the following releases:
x86 Platform
Notes:
- Solaris 8 on the x86 platform is not affected by this issue.
- Solaris on the SPARC platform is not affected by this issue.
- Solaris 9 on the x86 platform does not ship with the Xorg X server by default but is present if the unbundled Sun Java Desktop System (JDS) Release 2 was downloaded and installed.
To determine if JDS Release 2 is installed on a Solaris 9 x86 system, the following command can be run:
$ grep distributor-version /usr/share/gnome-about/gnome-version.xml
<distributor-version>Sun Java Desktop System, Release 2</distributor-version>
4. The described issues only occur on systems with the SUNWxorg packages installed. To determine if the SUNWxorg packages are installed on the system, the following command can be used:
$ pkginfo SUNWxorg-server
system SUNWxorg-server X.Org Foundation Xserver
Symptoms
There are no predictable symptoms that would indicate the described issues have been exploited to execute arbitrary commands with root privileges.
Workaround
To work around the described issues until the patch can be applied, the following entry for the Type 1 font module can be removed or commented out (by inserting a '#' at the beginning line) from the xorg.conf(4) file:
Load "type1"
Note: After applying this workaround, applications which require Type 1 fonts may not display the text properly.
Resolution
These issues are addressed in the following releases:
x86 Platform
Modification HistoryDate: 08-MAR-2007
08-Mar-2007:
- Updated Contributing Factors and Resolution sections
- State: Resolved
AttachmentsThis solution has no attachment
Sun Contracted Content
Sun Contracted Feature
