Multiple security vulnerabilities in the X Font Server (xfs(1)) and the X Render and DBE extensions, which are part of the X11 servers Xsun(1) and Xorg(1), may allow a local or remote unprivileged user to elevate their privileges to root and execute arbitrary code resulting in memory corruption or a Denial of Service (DoS) condition.

These issues are described in the following documents:

CVE-2003-0730 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0730

CVE-2006-6101 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6101

CVE-2006-6102 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6102

CVE-2006-6103 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6103

iDefense Multiple Vendor X Server Render Extension ProcRenderAddGlyphs Memory Corruption Vulnerability at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=463

iDefense Multiple Vendor X Server DBE Extension ProcDbeGetVisualInfo Memory Corruption Vulnerability at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=464

iDefense Multiple Vendor X Server DBE Extension ProcDbeSwapBuffers Memory Corruption Vulnerability at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=465

These issues can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 119067-06 and 109862-04
• Solaris 9 without patch 112785-60 and 113923-03
• Solaris 10 without patch 119059-21

x86 Platform

• Solaris 8 without patch 119068-06 and 109863-04
• Solaris 9 without patch 112786-49 and 113924-03
• Solaris 9 without patch 118908-03 (for Xorg(1))
• Solaris 10 without patch 119060-20 and 118966-25
• Solaris 10 without patch 125720-03 (for Xorg(1))

Note: The Xorg(1) X11 server is only affected by BugID 6504408. The Xsun(1) X11 server is affected by BugsIDs 4915967 and 6502073.

There are no predictable symptoms that would indicate the described issues have been exploited.

BugID 6504408:

This workaround is applicable on the x86 platform running Xorg(1) server:

In the "xorg.conf" file, located in "/etc/X11", remove the following lines from the "Module" section:

    Load "render"
    Load "dbe"

Note: This will prevent the Render and the DBE extension from loading, which may affect the appearance or operation of some applications.

BugID 4915967:

BugID 4915967 is fixed in the Solaris 9 patch revisions 112785-59 and 112786-48, and in the Solaris 10 patch revisions 119059-16 and 119060-15.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 119067-06 or later and 109862-04 or later
• Solaris 9 with patch 112785-60 or later and 113923-03 or later
• Solaris 10 with patch 119059-21 or later

x86 Platform

• Solaris 8 with patch 119068-06 or later and 109863-04 or later
• Solaris 9 with patch 112786-49 or later and 113924-03 or later
• Solaris 9 with patch 118908-03 or later (for Xorg(1))
• Solaris 10 with patch 119060-20 or later and 118966-25 or later
• Solaris 10 with patch 125720-03 or later (for Xorg(1))

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections

• State: Resolved
• Updated Contributing Factors and Resolution sections

This solution has no attachment