[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sun] UPDATE: Schwachstelle in der Bibliothek libXfont - Sun Alert ID 102714
-----BEGIN PGP SIGNED MESSAGE-----
Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.
Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:
Mit diesem Update stellt Sun Software Updates fuer Solaris (Sparc und
x86) zur Verfuegung.
Die XFree86 und X.org Server, sowie der Solaris-eigene Server Xsun sind
ebenfalls von den Schwachstellen im FreeType Code betroffen.
CVE-2006-1861 / CVE-2006-2493 / CVE-2006-3467 - Mehrere Integer
Overflows in FreeType
An verschiedenen Stellen des FreeType Codes (bdf/bdflib.c,
sfnt/ttcmap.c, cff/cffgload.c und base/ftmac.c / read_lwfn()) lassen
sich Integer Overflows ausloesen. Ein Angreifer kann diese
Schwachstellen dazu ausnutzen, die Anwendung welche die FreeType
Bibliothek verwendet, zum Absturz zu bringen (Denial of Service) oder
beliebigen Code mit den Rechten des Benutzers auszufuehren.
Die Schwachstelle in base/ftmac.c / read_lwfn() wurde urspruenglich als
CVE-2006-2493 klassifiziert.
Betroffen sind die folgenden Software Pakete und Plattformen:
Xorg
Xsun
libXfont
PARC Platform
Solaris 8 vor Patch 119067-04
Solaris 9 vor Patch 112785-57
Solaris 10 vor Patch 119059-19
x86 Platform
Solaris 8 vor Patch 119068-04
Solaris 9 vor Patch 112786-46
Solaris 10 vor Patch 119060-18
JDS release 2 (Solaris 9)
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102714-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT Services GmbH
Sun(sm) Alert Notification
* Sun Alert ID: 102714
* Synopsis: Security Vulnerability With Integer Multiplication Within
libXfont Affects Solaris X11 Servers
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6465806, 6465805
* Avoidance: Patch, Workaround
* State: Workaround
* Date Released: 14-Nov-2006
* Date Closed:
* Date Modified: 16-Nov-2006
1. Impact
The Xsun(1) server and Xorg(1) server are the X display servers for Version
11 of the X window system on Solaris.
There exists an overflow vulnerability when performing integer
multiplication within the libXfont library, as used by the X11 display
servers, that can cause a heap overflow while loading the fonts. This may
allow a local unprivileged user to be able to execute arbitrary commands
with elevated privileges or create a Denial of Service (DoS) to the display
managers.
This issue is described in the following documents:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
* http://www.idefense.com/intelligence/vulnerabilities/display.php?id=412
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 8 without patch 119067-04
* Solaris 9 without patch 112785-57
* Solaris 10 without patch 119059-19
x86 Platform
* Solaris 8 without patch 119068-04
* Solaris 9 without patch 112786-46
* JDS release 2 (for Solaris 9)
* Solaris 10 without patch 119060-18
Note: Xorg(1) is not shipped in Solaris 8
To determine the version of JDS that is currently installed on the system,
run the following command (output will vary by platform):
% grep platform /usr/share/gnome/gnome-about/gnome-version.xml
<platform>2</platform>
Alternatively (for the same results), in a terminal window from within the
GNOME desktop, the following command can be run:
% /usr/bin/gnome-about
3. Symptoms
There are no predictable symptoms that would indicate that this issue has
been exploited to execute arbitrary commands with elevated privileges. The
symptom of the Denial of Service (DoS) would be the absence of either the
Xsun(1) or Xorg(1) server running on the system.
Solution Summary Top
4. Relief/Workaround
To prevent this issue from being exploited to execute arbitrary commands
with elevated privileges, the setuid(2) bit can be removed from the Xorg
server and the Xsun server on the x86 platform and the setgid(2) bit can be
removed from the Xsun server on the SPARC platform. For example:
# chmod 0755 /usr/openwin/bin/Xsun
# chmod 0755 /usr/X11/bin/Xorg
Note 1: Performing the above procedure will disable the following:
* The ability to start either the Xsun(1) or Xorg(1) server from the
command line for non-root users on the Solaris x86 platform.
* The ability of Xsun(1) and Xorg(1) to open Unix domain sockets and named
pipe transports in the protected "/tmp/.X11-*" directories.
* The ability to configure Power Management and Interactive Process
Priority control on Solaris SPARC.
These features will still be available to Xsun and Xorg when started via a
display manager such as dtlogin(1), gdm(1), or xdm(1).
Note 2: There is no workaround to prevent this issue from being exploited to
cause a Denial Of Service to the X Servers.
Note 3: The "chmod" command for Xorg(1) is applicable only to Solaris 9 and
10.
Note 4: Local users on the console of a system using an X display manager
and Sun Ray users may still be able to exploit this vulnerability to execute
arbitrary commands with elevated privileges even if the setuid and setgid
permissions have been removed from the Xsun and Xorg binaries.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patch 119067-04 or later
* Solaris 9 with patch 112785-57 or later
* Solaris 10 with patch 119059-19 or later
x86 Platform
* Solaris 8 with patch 119068-04 or later
* Solaris 9 with patch 112786-46 or later
* Solaris 10 with patch 119060-18 or later
A final resolution is pending completion.
Change History
16-Nov-2006:
* Updated Contributing Factors, Relief/Workaround, and Resolution sections
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third
parties. The issues described in this Sun Alert notification may or may not
impact your system(s). Sun makes no representations, warranties, or
guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
proprietary and confidential information. It is being provided to you
pursuant to the provisions of your agreement to purchase services from Sun,
or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
Alert notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRV2qYfBT2+ukQ5RFAQHdvQgAn/RnuaI83o7DS16AhFc277NYmNYSJuCb
kFxaswV3Gzufl6w4QKuzSKxxwG1EMbiWLMVagMtBI0N+h86+GwuR2geLbhTCZHrH
amk0g6hZo110pS1RClzbiUBs+ZWA+4WvknvSHSx5VOJOIvNe4QWfCZXDJiii9i04
UzlSatD2ILqRNdvLQm2C63mJNBvBZlIhgk5MMnlf652qcSBPtFun/NFb/FakLQ0a
0TCfd3EmGEb0aNzQxEqdKA4KYNdpAnb4ZVimyiI1ho3X0/WrZL+oe8Mpsg1VMA7M
FsNbqjpu8uRulEFUm9Nx7dQ6v1JldNITVH3nhYWnGw1xjCUy8NAzBQ==
=6YJO
-----END PGP SIGNATURE-----