Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > April 2005 > Two Sun Alert Notifications: 1. 57768 - Multiple Security Vulnerabilities in Xsun and Xprt Server Font Handling 2. 57769 - Multiple Security Vulnerabilities in libtiff(3)

April 2005

Two Sun Alert Notifications: 1. 57768 - Multiple Security Vulnerabilities in Xsun and Xprt Server Font Handling 2. 57769 - Multiple Security Vulnerabilities in libtiff(3)

ID: 00361
Ref: 335/2005
Date: 29 April 2005:14:50:12
Version: 1
Title: Two Sun Alert Notifications: 1. 57768 - Multiple Security Vulnerabilities in Xsun and Xprt Server Font Handling 2. 57769 - Multiple Security Vulnerabilities in libtiff(3)
Abstract:
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun
Title
=====

Two Sun Alert Notifications:

1. 57768 - Multiple Security Vulnerabilities in Xsun and Xprt Server Font Handling

2. 57769 - Multiple Security Vulnerabilities in libtiff(3)

Detail
======

1. Xsun(1), the Solaris server for X Version 11, and Xprt(1),
the Solaris print server for X Version 11, contain multiple buffer
overflows in the handling of the "font.alias" file which may allow a
local unprivileged user to execute arbitrary code with the privileges
of the Xsun or Xprt server. The Xsun server runs with "gid root"
privileges on Solaris SPARC systems and "uid root" privileges on
Solaris x86 systems. The Xprt server runs with "gid root" privileges
on both SPARC and x86 systems.

2. Multiple security vulnerabilities have been found in
libtiff(3), a library for reading and writing Tag Image File Format
(TIFF) files. These vulnerabilities may allow a remote unprivileged
user to execute arbitrary code with the privileges of a local user if
that local user has loaded a TIFF image file (.tiff) supplied by an
untrusted user. The remote user may be able to crash the TIFF image
viewing program as well. The TIFF image files may be picked up in
e-mail or from an untrusted web site.




1.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2005.0338 -- Sun Alert Notification 57768
Multiple Security Vulnerabilities in Xsun and Xprt Server Font Handling
26 April 2005

===========================================================================



Product: Xsun(1)
Xprt(1)
Publisher: Sun Microsystems
Operating System: Solaris 9
Solaris 8
Solaris 7
Platform: SPARC
IA-32
Impact: Root Compromise
Access: Existing Account
CVE Names: CAN-2004-0084 CAN-2004-0083

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57768-1

- - --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 57768
* Synopsis: Multiple Security Vulnerabilities in Xsun and Xprt
Server Font Handling
* Category: Security
* Product: Solaris
* BugIDs: 4995611, 4989547
* Avoidance: Patch
* State: Resolved
* Date Released: 18-Apr-2005
* Date Closed: 18-Apr-2005
* Date Modified:

1. Impact Xsun(1), the Solaris server for X Version 11, and Xprt(1),
the Solaris print server for X Version 11, contain multiple buffer
overflows in the handling of the "font.alias" file which may allow a
local unprivileged user to execute arbitrary code with the privileges
of the Xsun or Xprt server. The Xsun server runs with "gid root"
privileges on Solaris SPARC systems and "uid root" privileges on
Solaris x86 systems. The Xprt server runs with "gid root" privileges
on both SPARC and x86 systems.

This issue is described in the following documents:

CVE CAN-2004-0083 at
[2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083

CVE CAN-2004-0084 at
[3]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084

2. Contributing Factors This issue can occur in the following
releases:

SPARC Platform

* Solaris 7 without patch [4]108376-45
* Solaris 8 without patch 108652-80
* Solaris 9 without patch [5]112785-34

x86 Platform

* Solaris 7 without patch [6]108377-40
* Solaris 8 without patch 108653-69
* Solaris 9 without patch [7]112786-36

Note: Solaris 10 is not affected by this issue.

3. Symptoms There are no predictable symptoms that would indicate the
described issue has been exploited.

Solution Summary [8]Top

4. Relief/Workaround To work around the described issue, do the
following:

1. Remove the setuid(2) and/or setgid(2) bit from Xsun and Xprt
2. Configure dtlogin(1X) not to run Xsun as "root"

1. To remove the setuid(2) and/or setgid(2) bit from Xsun and Xprt,
the following command can be run as "root":

# chmod 0755 /usr/openwin/bin/Xsun /usr/openwin/bin/Xprt


2. To configure dtlogin not to run Xsun as "root", copy
"/usr/dt/config/Xservers" to "/etc/dt/config/Xservers" and change the
following line from:

:0 Local local_uid@console root /usr/X11/bin/Xserver :0 -nobanner


to

:0 Local local@console /usr/openwin/bin/Xsun :0 -nobanner


WARNING: Performing the above procedure will disable:

* all ability to run Xsun on Solaris x86
* power management and Interactive Process Priority control on
Solaris SPARC
* Sun Ray support
* Xsun and Xprt ability to open Unix domain sockets and named pipe
transports in the protected /tmp/.X11-* directories

5. Resolution This issue is addressed in the following releases:

SPARC Platform

* Solaris 7 with patch [9]108376-45 or later
* Solaris 8 with patch 108652-80 or later
* Solaris 9 with patch [10]112785-34 or later

x86 Platform

* Solaris 7 with patch [11]108377-40 or later
* Solaris 8 with patch 108653-69 or later
* Solaris 9 with patch [12]112786-36 or later

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.


References

1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57768-1#top
2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083
3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
4. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-108376-45-1
5. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112785-34-1
6. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-108377-40-1
7. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112786-36-1
8. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57768-1#top
9. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-108376-45-1
10. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112785-34-1
11. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-108377-40-1
12. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-112786-36-1

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQm3f8ih9+71yA2DNAQL5OAP/TvojA30cjxzJaHPSNCbBfx7cPBvhYH8t
wy2J1YhbElpkg/BxFYoETZSFX23+bGcZPNQOpxEdPY+L0JCJDLZTqb1v64pEw9cu
CyZri/eHlD0aBdfYxmGmZeXCiTHGY45SpilZc4bzLhRd4DXv+7kHIzK8khGxQ+mW
kao424CH6dE=
=50Fg
- -----END PGP SIGNATURE-----


2.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2005.0344 -- Sun Alert Notification 57769
Multiple Security Vulnerabilities in libtiff(3)
27 April 2005

===========================================================================


Product: libtiff(3)
Publisher: Sun Microsystems
Operating System: Solaris 10
Solaris 9
Solaris 8
Solaris 7
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1308 CAN-2004-0886 CAN-2004-0804
CAN-2004-0803

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57769-1

Comment: The libtiff library is installed with OpenWindows, CDE, or packages
SUNWTiff and SUNWTiffx.

- - --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 57769
* Synopsis: Multiple Security Vulnerabilities in libtiff(3)
* Category: Security
* Product: Solaris
* BugIDs: 6217996, 6203734, 6203747, 6203736
* Avoidance: Workaround, Patch
* State: Committed
* Date Released: 25-Apr-2005
* Date Closed:
* Date Modified:

1. Impact Multiple security vulnerabilities have been found in
libtiff(3), a library for reading and writing Tag Image File Format
(TIFF) files. These vulnerabilities may allow a remote unprivileged
user to execute arbitrary code with the privileges of a local user if
that local user has loaded a TIFF image file (.tiff) supplied by an
untrusted user. The remote user may be able to crash the TIFF image
viewing program as well. The TIFF image files may be picked up in
e-mail or from an untrusted web site.

These issues are described in the following documents:

* CERT Vulnerability VU#948752 (http://www.kb.cert.org/vuls/id/948752)
which is referenced in CAN-2004-0803
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0803)
* CERT Vulnerability VU#555304 (http://www.kb.cert.org/vuls/id/555304)
which is referenced in CAN-2004-0804
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0804)
* CERT Vulnerability VU#687568 (http://www.kb.cert.org/vuls/id/687568)
which is referenced in CAN-2004-0886
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0886)
* CERT Vulnerability VU#125598 (http://www.kb.cert.org/vuls/id/125598)
which is referenced in CAN-2004-1308
(http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1308)

2. Contributing Factors These issues can occur in the following releases:

SPARC Platform

* Solaris 7 (OpenWindows) without patch 118953-02 [1]
* Solaris 8 (CDE) without patch 109931-10 [2]
* Solaris 9 (CDE) without patch 114219-11 [3]
* Solaris 9 (with package SUNWTiff or SUNWTiffx)
* Solaris 10 (with package SUNWTiff installed)

x86 Platform

* Solaris 7 (OpenWindows) without patch 118954-02 [4]
* Solaris 8 (CDE) without patch 109932-10 [5]
* Solaris 9 (CDE) without patch 114220-11 [6]
* Solaris 9 (with package SUNWTiff or SUNWTiffx)
* Solaris 10 (with package SUNWTiff installed)

Note 1:

In Solaris 8 the libtiff(3) library may be installed in the following
directories:

/usr/openwin/lib (OpenWindows)
/usr/dt/lib/sdtimage (CDE)

In Solaris 9 the libtiff(3) library may be installed in the following
directories:

/usr/sfw/lib(SUNWTiff)
/usr/sfw/lib/sparcv9 (SUNWTiffx)
/usr/openwin/lib(OpenWindows)
/usr/dt/lib/sdtimage (CDE)

In Solaris 10 the libtiff(3) library may be installed in the following
directories:

/usr/lib
/usr/lib/sparcv9

Note 2:

Sun includes libtiff(3) on the Solaris Companion CD for Solaris 8
(http://wwws.sun.com/software/solaris/freeware/index.html) as an
unsupported package which installs to "/opt/sfw" and is vulnerable to
this issue. Sites using libtiff from the Solaris Companion CD will
have to upgrade to a later version.

3. Symptoms There are no reliable symptoms that would show the
described issues have been exploited.

Solution Summary

4. Relief/Workaround To work around the described issues, do not load
TIFF images from untrusted sources.

5. Resolution These issues are addressed in the following releases:

SPARC Platform

* Solaris 7 (OpenWindows) with patch 118953-02 [7] or later
* Solaris 8 (CDE) with patch 109931-10 [8] or later
* Solaris 9 (CDE) with patch 114219-11 [9] or later

x86 Platform

* Solaris 7 (OpenWindows) with patch 118954-02 [10] or later
* Solaris 8 (CDE) with patch 109932-10 [11] or later
* Solaris 9 (CDE) with patch 114220-11 [12] or later

Note: This issue is not yet resolved in Solaris 9 (with package
SUNWTiff or SUNWTiffx)

A final resolution is pending completion.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.

References

1. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118953-02-1
2. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109931-10-1
3. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114219-11-1
4. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118954-02-1
5. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109932-10-1
6. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114220-11-1
7. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118953-02-1
8. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109931-10-1
9. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114219-11-1
10. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-118954-02-1
11. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-109932-10-1
12. http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114220-11-1

- - --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQm80kih9+71yA2DNAQJ2/gP+OlsF1wOlr885pMsbMWNRkSpF6Cu20Rh+
IokmV4+y9cnNL9OWFR8cNttACkrxADpLx8nl+sgLRTaa0o4ZFEtKnXo/4RDwC92w
aQlLg51lAeEQG8gbqg6MSFOumLBVJ4xvKuy+rjVx2J68mnf9+7geZpkSCJPRO+6F
0ekhtr+9eMo=
=S8G7
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |