[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 751/06 - Sun Security Advisory: Sun Alert ID: 102714 - Security Vulnerability With Integer Multiplication Within libXfont Affects Solaris X11 Servers



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 UNIRAS (UK Government CERT) Briefing - 751/06 dated 16.11.06 time 14:10
 UNIRAS is part of NISCC (the UK National Infrastructure Security
 Co-ordination Centre)
______________________________________________________________________________

 UNIRAS material is available from the NISCC website at www.niscc.gov.uk
______________________________________________________________________________

Title
=====

Sun Security Advisory: Sun Alert ID: 102714 - Security Vulnerability With Integer 
Multiplication Within libXfont Affects Solaris X11 Servers

Detail
======

The Xsun(1) server and Xorg(1) server are the X display servers for
Version 11 of the X window system on Solaris.
There exists an overflow vulnerability when performing integer
multiplication within the libXfont library, as used by the X11 display
servers, that can cause a heap overflow while loading the fonts. This
may allow a local unprivileged user to be able to execute arbitrary
commands with elevated privileges or create a Denial of Service (DoS)
to the display managers.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             

                        ESB-2006.0848 -- [Solaris]
         Security Vulnerability With Integer Multiplication Within
                   libXfont Affects Solaris X11 Servers
                             16 November 2006

===========================================================================

       
        
Product:              Solaris 9, Solaris 10, Solaris 8 Operating Systems
Publisher:            Sun Microsystems
Operating System:     Solaris
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
Access:               Remote/Unauthenticated
CVE Names:            CVE-2006-3467

Ref:                  ESB-2006.0662
                      ESB-2006.0661
                      ESB-2006.0597

Original Bulletin:    
    http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102714-1

- - --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
     * Sun Alert ID: 102714
     * Synopsis: Security Vulnerability With Integer Multiplication
       Within libXfont Affects Solaris X11 Servers
     * Category: Security
     * Product: Solaris 9 Operating System, Solaris 10 Operating System,
       Solaris 8 Operating System
     * BugIDs: 6465806, 6465805
     * Avoidance: Workaround
     * State: Workaround
     * Date Released: 14-Nov-2006
     * Date Closed: 
     * Date Modified: 

1. Impact

   The Xsun(1) server and Xorg(1) server are the X display servers for
   Version 11 of the X window system on Solaris.

   There exists an overflow vulnerability when performing integer
   multiplication within the libXfont library, as used by the X11 display
   servers, that can cause a heap overflow while loading the fonts. This
   may allow a local unprivileged user to be able to execute arbitrary
   commands with elevated privileges or create a Denial of Service (DoS)
   to the display managers.

   This issue is described in the following documents:
     * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
     * http://www.idefense.com/intelligence/vulnerabilities/display.ph
       p?id=412

2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Solaris 8
     * Solaris 9
     * Solaris 10

   x86 Platform
     * Solaris 8
     * Solaris 9
     * JDS release 2 (for Solaris 9)
     * Solaris 10

   Note: Xorg(1) is not shipped in Solaris 8

   To determine the version of JDS that is currently installed on the
   system, run the following command (output will vary by platform):
    % grep platform /usr/share/gnome/gnome-about/gnome-version.xml
    <platform>2</platform>

   Alternatively (for the same results), in a terminal window from within
   the GNOME desktop, the following command can be run:
    % /usr/bin/gnome-about


3. Symptoms

   There are no predictable symptoms that would indicate that this issue
   has been exploited to execute arbitrary commands with elevated
   privileges. The symptom of the Denial of Service (DoS) would be the
   absence of either the Xsun(1) or Xorg(1) server running on the system. 

4. Relief/Workaround

   To prevent this issue from being exploited to execute arbitrary
   commands with elevated privileges, the setuid(2) bit can be removed
   from the Xorg server and the Xsun server on the x86 platform and the
   setgid(2) bit can be removed from the Xsun server on the SPARC
   platform. For example:
    # chmod 0755 /usr/openwin/bin/Xsun
    # chmod 0755 /usr/X11/bin/Xorg

   Note 1: Performing the above procedure will disable the following:
     * The ability to start either the Xsun(1) or Xorg(1) server from the
       command line for non-root users on the Solaris x86 platform.
     * The ability of Xsun(1) and Xorg(1) to open Unix domain sockets and
       named pipe transports in the protected "/tmp/.X11-*" directories.
     * The ability to configure Power Management and Interactive Process
       Priority control on Solaris SPARC.

   These features will still be available to Xsun and Xorg when started
   via a display manager such as dtlogin(1), gdm(1), or xdm(1).

   Note 2: There is no workaround to prevent this issue from being
   exploited to cause a Denial Of Service to the X Servers.

   Note 3: The "chmod" command for Xorg(1) is applicable only to Solaris
   9 and 10.

5. Resolution

   A final resolution for Solaris is pending completion.

   This Sun Alert notification is being provided to you on an "AS IS"
   basis. This Sun Alert notification may contain information provided by
   third parties. The issues described in this Sun Alert notification may
   or may not impact your system(s). Sun makes no representations,
   warranties, or guarantees as to the information contained herein. ANY
   AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
   WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
   YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
   INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
   OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your agreement to purchase services from Sun, or, if you do not have
   such an agreement, the Sun.com Terms of Use. This Sun Alert
   notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved

- - --------------------------END INCLUDED TEXT--------------------



iQCVAwUBRVv1RSh9+71yA2DNAQKi4QP9GxKEVqxE8xWCWLXOgYn3q/lsJ07GZl+M
R1VmxUrFhPLH8NH4Bmv+PobUkMkqRWf5sxXn6VcFglKNoL3hWBXc85ZUu4GBc0M/
uuWfLzLJbbBWCwYiSaNBF0WzLdpfSrpgyDhGmZG8F1sN1T1gZg4Y7kZtqfZ8INxs
0NhS+HOQ+Vs=
=xSP+
- -----END PGP SIGNATURE-----




______________________________________________________________________________

NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our briefings?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk
by telephone.  You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

UNIRAS wishes to acknowledge the contributions of Sun for the
information contained in this briefing.
______________________________________________________________________________

This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this
notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
______________________________________________________________________________

<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRVxvvWl7oeQsXfKvEQI22QCghk90RlHaKC+QfEA98fDHbANKKMoAoLC/
elXLrGJKRPyue8C3puJOLpwS
=v85g
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________