[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
UNIRAS Brief - 981/05 - Two Sun Alert Notifications:
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------------
UNIRAS (UK Govt CERT) Briefing Notice - 981/05 dated 25.11.05 Time: 11:00
UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ----------------------------------------------------------------------------------
UNIRAS material is also available from its website at www.uniras.gov.uk and
Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------
Title
=====
Two Sun Alert Notifications:
1. 102041 - Security Vulnerability in the libexif JPEG Image
Processing Library
2. 102060 - Security Vulnerabilities in the traceroute(1M) Utility
may Allow Elevated Privileges
Detail
======
1. A security vulnerability in the libexif JPEG image processing library
may allow a remote unprivileged user who provides a carefully crafted
JPEG image the ability to execute arbitrary code with the privileges
of a local user who opens that image. Furthermore, a remote user may
be able to create a Denial of Service (DOS) attack by using a
carefully crafted JPEG image.
2. Multiple security vulnerabilities in the traceroute(1M) utility may
allow an unauthorized local user the ability to execute arbitrary code
with elevated privileges. The traceroute(1M) utility in Solaris 10 is
privilege aware and thus the only additional privilege available is
PRIV_NET_RAWACCESS (see privileges(5)). This limits the impact by only
allowing access to the network layer.
1.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0945 -- Sun Alert Notification 102041
Security Vulnerability in the libexif JPEG Image Processing Library
25 November 2005
===========================================================================
Product: libexif
Publisher: Sun Microsystems
Operating System: Solaris 10
Solaris 9
Sun Java Desktop System Release 2
Sun Java Desktop System 2003
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0664
Ref: ESB-2005.0315
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102041-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102041
* Synopsis: Security Vulnerability in the libexif JPEG Image
Processing Library
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Sun Java Desktop System Release 2, Sun Java Desktop System 2003
* BugIDs: 6257383, 6345703
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 23-Nov-2005
* Date Closed: 23-Nov-2005
* Date Modified:
1. Impact
A security vulnerability in the libexif JPEG image processing library
may allow a remote unprivileged user who provides a carefully crafted
JPEG image the ability to execute arbitrary code with the privileges
of a local user who opens that image. Furthermore, a remote user may
be able to create a Denial of Service (DOS) attack by using a
carefully crafted JPEG image.
This issue may occur with applications linked against the libexif
library, including (but not limited to), the Eye of Gnome (eog)
application, which is distributed as part of the Java Desktop System.
Note: Most digital cameras produce EXIF files, which are Joint
Photographic Experts Group (JPEG) files with extra tags that contain
information about the image. The EXIF library allows you to parse an
EXIF file and read the data from those tags.
This issue is described in the following documents:
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0664
* http://www.novell.com/linux/security/advisories/2005_11_sr.html
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 10 without patch 121095-01
x86 Platform
* Java Desktop System (JDS) Release 2 (for Solaris 9) without patch
121093-01
* Solaris 10 without patch 121096-01
Linux
* Sun Java Desktop System (JDS) release 2003
* Sun Java Desktop System (JDS) Release 2 without the updated RPMs
(patch-9996)
Note: Solaris 8 and Solaris 9 are not affected by this issue.
The described issue only occurs on JDS for Linux with libexif versions
libexif-0.5.3-91 or earlier.
To determine if libexif is installed on a Solaris system, the
following command can be used:
% pkginfo SUNWlibexif
GNOME2 SUNWlibexif libexif
To determine the release of JDS for Linux installed on a system, the
following command can be used:
% cat /etc/sun-release
Sun Java Desktop System, Release 2 -build 10b (GA)
Assembled 30 March 2004
To determine the version of libexif installed on a JDS for Linux
system, the following command can be run:
% rpm -qf /usr/lib/libexif.so.5
libexif-0.5.3-91
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
4. Relief/Workaround
To avoid the described issue, do not load JPEG images from untrusted
sources.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 10 with patch 121095-01 or later
x86 Platform
* Java Desktop System (JDS) Release 2 (for Solaris 9) with patch
121093-01 or later
* Solaris 10 with patch 121096-01 or later
Linux
* Sun Java Desktop System (JDS) Release 2 with the updated RPMs
(patch-9996)
To download and install the updated RPMs from the update servers,
select the following sequence from the "launch" menu:
Launch >> Applications >> System Tools >> Online Update
For more information on obtaining updates see:
* http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5
* http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7
Note: Sun Java Desktop System (JDS) release 2003 is no longer
supported and will require an upgrade to a later release with the
associated patches installed to address this issues.
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- - --------------------------END INCLUDED TEXT--------------------
2.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
ESB-2005.0946 -- Sun Alert Notification 102060
Security Vulnerabilities in the traceroute(1M) Utility may
Allow Elevated Privileges
25 November 2005
===========================================================================
Product: traceroute
Publisher: Sun Microsystems
Operating System: Solaris 10
Impact: Increased Privileges
Access: Existing Account
CVE Names: CAN-2005-2071
Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102060-1
- - --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102060
* Synopsis: Security Vulnerabilities in the traceroute(1M) Utility
may Allow Elevated Privileges
* Category: Security
* Product: Solaris 10 Operating System
* BugIDs: 6290623, 6290611
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 23-Nov-2005
* Date Closed: 23-Nov-2005
* Date Modified:
1. Impact
Multiple security vulnerabilities in the traceroute(1M) utility may
allow an unauthorized local user the ability to execute arbitrary code
with elevated privileges. The traceroute(1M) utility in Solaris 10 is
privilege aware and thus the only additional privilege available is
PRIV_NET_RAWACCESS (see privileges(5)). This limits the impact by only
allowing access to the network layer.
These issues are described in the following document:
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2071
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 10 without patch 121012-01
x86 Platform
* Solaris 10 without patch 121013-01
Note: Solaris 8 and Solaris 9 are not affected by this issue.
3. Symptoms
There are no reliable symptoms that would indicate the described issue
has been exploited.
4. Relief/Workaround
To work around the described issue, the "set user ID bit" (suid) may
be removed from the traceroute(1M) binary (or the binary may be
removed altogether), which will render it unusable to non-root users.
To remove the suid bit, run the following command as root user:
# chmod u-s /usr/sbin/traceroute
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 10 with patch 121012-01 or later
x86 Platform
* Solaris 10 with patch 121013-01 or later
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- - --------------------------END INCLUDED TEXT--------------------
- ----------------------------------------------------------------------------------
For additional information or assistance, please contact the HELP Desk by
telephone or Not Protectively Marked information may be sent via
EMail to: uniras@xxxxxxxxxxxx
Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749
Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts
- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun Microsystems for the information
contained in this Briefing.
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some
of the information may have changed since it was released. If the vulnerability
affects you, it may be prudent to retrieve the advisory from the canonical site
to ensure that you receive the most current information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply
its endorsement, recommendation, or favouring by UNIRAS or NISCC. The views
and opinions of authors expressed within this notice shall not be used for
advertising or product endorsement purposes.
Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they shall
not be liable for any loss or damage whatsoever, arising from or in connection
with the usage of information contained within this notice.
UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its
members and the community at large.
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQCVAwUBQ4bvHIpao72zK539AQGuCAP+Pw3MFq6eLyjb5Is0O6YsIDm8t+UktrPD
QapzL0PA87yeWvTa+0TgUm1TiyLVQ4lCibmqHdu45dQtbw27zFeXh6TPCSzsddlK
9lp8ZmqPLTpFIk+/kpmRYr1f3/bxd/TNofc1JuoeEo5CbYb/lh5At7B/dgdJTA/D
GryqWPZpNnY=
=4vST
-----END PGP SIGNATURE-----
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________