Multiple Security Issues Within The X Font Server (xfs(1)) QueryXBitmaps and QueryXExtents Protocol Handlers |
|
| Category : | Security |
| Release Phase : | Resolved |
| Product : | Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System
|
| Bug Id : | 6601751, 6601756
|
| Date of Workaround Release : | 06-Nov-2007
|
| Date of Resolved Release : | 17-Jan-2008
|
There exists multiple security vulnerabilities within the handlers for the QueryXBitmaps and QueryXExtents protocol requests (see below for full details)
1. Impact
There exists multiple security vulnerabilities within the handlers for the QueryXBitmaps and QueryXExtents protocol requests for the X Font Server, xfs(1), included with Solaris. These vulnerabilities may allow a local or remote unprivileged user the ability to execute arbitrary code with the privileges of the X font server. The X font server runs as the unprivileged user "nobody" (uid 60001) on Solaris. These vulnerabilities may allow also allow users to consume all available memory on a system resulting in a Denial of Service (DoS).
These issues are also referenced in the following documents:
2. Contributing Factors
These issues can occur in the following releases:
SPARC Platform
x86 Platform
The system is only impacted if the X Font Server is enabled or is running. The X Font Server can be started manually, but is normally started by the service management facility (smf(5)) or the Internet services daemon (inetd(1M)).
To determine the state of the X font server on Solaris 8 and Solaris 9 systems the "/etc/inet/inetd.conf" (see inetd.conf(4)) file will contain entry similar to the following:
fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
To determine the state of the X Font Server for Solaris 10, the following command can be used:
$ svcs svc:/application/x11/xfs
To determine if the X font server is running on a Solaris 8, 9, or 10 system the following command can be used:
$ pgrep -x xfs || echo "xfs(1) isn't running on this system"
3. Symptoms
If the described issue occurs, the X Font Server (xfs(1)) may exit unexpectedly, potentially leaving a core file within the root file system.
There are no predictable symptoms that would indicate that this issue has been exploited to execute arbitrary code on a system.
4. Workaround
To work around the described issue, disable the X Font Service by doing the following:
For Solaris 10:
# svcadm disable svc:/application/x11/xfs:default
# pkill -x xfs
For Solaris 8 and Solaris 9:
The X font server can be disabled by commenting out (with "#") the following line in the "inetd.conf" file:
# fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs
Have the inetd(1M) process reread the newly modified "/etc/inetd.conf" file by sending it a "hangup" signal, SIGHUP, as the root user:
# pkill -HUP -x inetd
# pkill -x xfs
This workaround will cause font server operations for the X terminals and remote X sessions to fail.
Resolution
This issue is addressed in the following releases:
SPARC Platform
x86 Platform
Note: The patches should have the "rebootafter" patch property, however, the Solaris 9 and Solaris 10 patches are missing that property and new revisions are being built.
Special patch install instructions:
For the changes in the Solaris 9 and Solaris 10 patches to become effective, a reboot must be performed, or alternatively, the X Window System font server process "xfs" must be killed if it is running.
The "X font server", is normally started automatically from "inetd" on Solaris when a request for a font service is received. Xsun clients using the font server will detect the font server shutdown and reconnect automatically to a new instance of the font server. Unfortunately, other font clients, such as some versions of "Xvnc", will not reconnect automatically and will need to be stopped before killing the font server and restarted again after the font server is restarted. (If "xfs" is still being run from "inetd", "inetd" will automatically restart on the first connection attempt.)
To kill the font server, as root, run the following command:
# pkill -x xfs
This Sun Alert notification is being provided to you on an "AS
IS" basis. This Sun Alert notification may contain information provided
by third parties. The issues described in this Sun Alert notification
may or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
Modification History11-Oct-2007: Updated Relief/Workaround section
06-Nov-2007: Updated Contributing Factors and Resolution sections
13-Nov-2007: Updated the Contributing Factors, Relief/Workaround, and Resolution sections
17-Jan-2008: Resolved - Updated Contributing Factors and Resolution sections
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
