A buffer overflow vulnerability in libX11 may allow a local unprivileged user to be able to execute arbitrary code or commands with elevated privileges. The code or commands executed would run with the privileges of the application dynamically linked to the libX11 library. A number of programs shipped in Solaris and by third parties dynamically link with the libX11 library and run with elevated privileges. Applications that call XInitImage() with user-controllable parameters may be vulnerable, such as xwud(1) and ImageMagick, when loading X Window Dump (xwd) files with incorrect parameters.

This issue is described in the following documents:

CVE-2007-1667 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 119067-08
• Solaris 9 without patch 112785-62
• Solaris 10 without patch 119059-26

x86 Platform

• Solaris 8 without patch 119068-08
• Solaris 9 without patch 112786-51
• Solaris 10 without patch 119060-25

Notes:

1) To determine if an application is linked against the libX11 library, the ldd(1) utility can be used as in the following example:

    $ ldd /path/to/application | grep libX11 || echo "application not affected"

If output similar to the following is seen:

    libX11.so.4 =>   /usr/openwin/lib/libX11.so.4

then the application links to libX11 and may be affected by this issue.

2) To determine if an application uses the XInitImage(3X11) function the nm(1) command can be used if the application binary has not been stripped using strip(1). The file(1) command will report if a binary has been stripped. For example:

    $ file /usr/openwin/bin/xwud
    /usr/openwin/bin/xwud:  ELF 32-bit LSB executable 80386 Version 1 [FPU], 
    dynamically linked, not stripped, no debugging information available

    $ nm /usr/openwin/bin/xwud | grep XInitImage
    [61]    | 134550036|         0|FUNC |GLOB |0    |UNDEF  |XInitImage

Alternatively, the truss(1) utility can be used to determine if an application calls the XInitImage() function. For example:

    $ truss -f -t\!all -ulibX11:XInitImage: xwud -in file.xwd
    28243/1@1:      -> libX11:XInitImage(0x8047888)
    28243/1@1:      <- libX11:XInitImage() = 1

There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary commands with elevated privileges on a system.

To avoid this issue, do not load X11 Window dump files from untrusted sources.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 119067-08 or later
• Solaris 9 with patch 112785-62 or later
• Solaris 10 with patch 119059-26 or later

x86 Platform

• Solaris 8 with patch 119068-08 or later
• Solaris 9 with patch 112786-51 or later
• Solaris 10 with patch 119060-25 or later

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections
• State: Resolved

This solution has no attachment