An unprivileged local user may be able to execute arbitrary code or commands with the privileges of the dtsession(1X) Common Desktop Environment (CDE) Session Manager. The dtsession(1X) CDE Session Manager runs with root privileges.

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 109354-26
• Solaris 9 without patch 113240-13
• Solaris 10 without patch 125279-02

x86 Platform

• Solaris 8 without patch 109355-25
• Solaris 9 without patch 113241-13
• Solaris 10 without patch 125280-02

There are no predictable symptoms that would indicate this issue has been exploited.

To work around the described issue, turn off the set-user-ID ("setuid") bit for dtsession(1X) as root:

    #chmod 0555 /usr/dt/bin/dtsession

Note 1: For CDE users this will cause dtsession(1X) to be unable to unlock the screen by the list of keyholders (including root) as well as prevent users with accounts defined in /etc/passwd to be unable to unlock the screen. CDE users with accounts defined in NIS, NIS+, or LDAP will still be able to unlock the screen.

Note 2: CDE users with accounts defined in /etc/passwd should use xlock(1) to lock their X display and turn off automatic session locking by dtsession(1X). Automatic session locking by dtsession(1X) can be turned off using the CDE Style Manager's (dtstyle(1X)) screen option. From the dtstyle(1X) screen option window, automatic session locking can be turned off by selecting "off" for the Screen Saver and Screen Lock options. To lock the X display using xlock(1) the xlock(1) command can be executed from the command line of a terminal window.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 109354-26 or later
• Solaris 9 with patch 113240-13 or later
• Solaris 10 with patch 125279-02 or later

x86 Platform

• Solaris 8 with patch 109355-25 or later
• Solaris 9 with patch 113241-13 or later
• Solaris 10 with patch 125280-02 or later

This solution has no attachment