[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sun] UPDATE: Schwachstelle in der libX11 Bibliothek - 102888



-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

Bitte beachten Sie, dass dies ein Update des Advisories ist, das die
folgenden Aenderungen betrifft:

  Mit diesem Update gibt Sun die Verfuegbarkeit von Patches fuer Solaris
  8 und 9 auf SPARC und x86 Plattformen bekannt.

CVE-2007-1667 - Buffer Overflow in der Funktion XGetPixel()

  In der Funktion 'XGetPixel()' des X-Servers kann unter bestimmten
  Umstaenden ein Buffer Overflow in der Applikation ausgeloest werden,
  welche die Funktion nutzt. Dies passiert wenn die Funktion mit einer
  manipulierten XImage-Struktur als Funktionsparameter aufgerufen wird.
  Gelingt es einem Angreifer die Schwachstelle auszunutzen, so kann er
  beliebige Befehle mit den Rechten des Programms ausfuehren.

Betroffen sind die folgenden Software Pakete und Plattformen:

  libX11.so

  SPARC Plattform
   - Solaris 8 vor Patch 119067-08
   - Solaris 9 vor Patch 112785-62 
   - Solaris 10 vor Patch 119059-26
  
  x86 Plattform
   - Solaris 8 vor Patch 119068-08
   - Solaris 9 vor Patch 112786-51
   - Solaris 10 vor Patch 119060-25

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-102888-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
	Jan Kohlrausch
- -- 
Jan Kohlrausch (CSIRT), Phone +49 40 808077-555

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737


Sun(sm) Alert Notification
     * Sun Alert ID: 102888
     * Synopsis: Security Vulnerability in libX11 for Solaris
     * Category: Security
     * Product: Solaris 9 Operating System, Solaris 10 Operating System,
       Solaris 8 Operating System
     * BugIDs: 6542279
     * Avoidance: Patch, Workaround
     * State: Resolved
     * Date Released: 24-Apr-2007, 25-Jul-2007
     * Date Closed: 25-Jul-2007
     * Date Modified: 11-Jul-2007, 25-Jul-2007

1. Impact

   A buffer overflow vulnerability in libX11 may allow a local unprivileged
   user to be able to execute arbitrary code or commands with elevated
   privileges. The code or commands executed would run with the privileges of
   the application dynamically linked to the libX11 library. A number of
   programs shipped in Solaris and by third parties dynamically link with the
   libX11 library and run with elevated privileges. Applications that call
   XInitImage() with user-controllable parameters may be vulnerable, such as
   xwud(1) and ImageMagick, when loading X Window Dump (xwd) files with
   incorrect parameters.

   This issue is described in the following documents:

   CVE-2007-1667 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667

   http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Solaris 8 without patch 119067-08
     * Solaris 9 without patch 112785-62
     * Solaris 10 without patch 119059-26

   x86 Platform
     * Solaris 8 without patch 119068-08
     * Solaris 9 without patch 112786-51
     * Solaris 10 without patch 119060-25

   Notes:

   1) To determine if an application is linked against the libX11 library, the
   ldd(1) utility can be used as in the following example:
    $ ldd /path/to/application | grep libX11 || echo "application not affected"

   If output similar to the following is seen:
    libX11.so.4 =>   /usr/openwin/lib/libX11.so.4

   then the application links to libX11 and may be affected by this issue.

   2) To determine if an application uses the XInitImage(3X11) function the
   nm(1) command can be used if the application binary has not been stripped
   using strip(1). The file(1) command will report if a binary has been
   stripped. For example:
    $ file /usr/openwin/bin/xwud
    /usr/openwin/bin/xwud:  ELF 32-bit LSB executable 80386 Version 1 [FPU],
    dynamically linked, not stripped, no debugging information available

    $ nm /usr/openwin/bin/xwud | grep XInitImage
    [61]    | 134550036|         0|FUNC |GLOB |0    |UNDEF  |XInitImage

   Alternatively, the truss(1) utility can be used to determine if an
   application calls the XInitImage() function. For example:
    $ truss -f -t\!all -ulibX11:XInitImage: xwud -in file.xwd
    28243/1@1:      -> libX11:XInitImage(0x8047888)
    28243/1@1:      <- libX11:XInitImage() = 1

3. Symptoms

   There are no predictable symptoms that would indicate the described issue
   has been exploited to execute arbitrary commands with elevated privileges on
   a system.
   Solution Summary Top

4. Relief/Workaround

   To avoid this issue, do not load X11 Window dump files from untrusted
   sources.

5. Resolution

   This issue is addressed in the following releases:

   SPARC Platform
     * Solaris 8 with patch 119067-08 or later
     * Solaris 9 with patch 112785-62 or later
     * Solaris 10 with patch 119059-26 or later

   x86 Platform
     * Solaris 8 with patch 119068-08 or later
     * Solaris 9 with patch 112786-51 or later
     * Solaris 10 with patch 119060-25 or later

Change History

   11-Jul-2007:
     * Updated Contributing Factors and Resolution sections

   25-Jul-2007:
     * Updated Contributing Factors and Resolution sections
     * State: Resolved

   This Sun Alert notification is being provided to you on an "AS IS" basis.
   This Sun Alert notification may contain information provided by third
   parties. The issues described in this Sun Alert notification may or may not
   impact your system(s). Sun makes no representations, warranties, or
   guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
   HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
   IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
   CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
   INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
   proprietary and confidential information. It is being provided to you
   pursuant to the provisions of your agreement to purchase services from Sun,
   or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
   Alert notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRqiuKhYd1iQZmhQQAQGEzAf+Iv/W6Q5qRf2xOKSc9GepdyM20S+GQSvK
60KDrEg6hup80ipvarhD/fkP21yf85SRpZVYrXnhJzRBHlWsmTt2/NzVv6ktp9Fd
23f/rzWOaHZNP4TQV8ZaG02AJYjMzl3VXXGU0Vhs1Dz1o91q2ht/oUORrOoBKxk4
zPWquAEas6QdVi8dwuVRJ7IF0zcfu8TYupnATPs4oNw4FvXI8aw9i8g+nLR0Th+p
weoC5lfA2UE842trUqBonyqB2Xy8DvAmXAFLe+8Az4edjpMkfTjksHc6PRbowiU7
qZMEWz4V6MiZsaiJpPFepXZ+Zn1x8BLaTF42Mg140WTDEAPrWjBFBg==
=+US7
-----END PGP SIGNATURE-----