Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2005 > Two Sun Alert Notifications: 1. 102041 - Security Vulnerability in the libexif JPEG Image Processing Library 2. 102060 - Security Vulnerabilities in the traceroute(1M) Utility may Allow Elevated Privileges

November 2005

Two Sun Alert Notifications: 1. 102041 - Security Vulnerability in the libexif JPEG Image Processing Library 2. 102060 - Security Vulnerabilities in the traceroute(1M) Utility may Allow Elevated Privileges

ID: 01046
Ref: 981/2005
Date: 25 November 2005:11:06:39
Version: 1
Title: Two Sun Alert Notifications: 1. 102041 - Security Vulnerability in the libexif JPEG Image Processing Library 2. 102060 - Security Vulnerabilities in the traceroute(1M) Utility may Allow Elevated Privileges
Abstract:
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun

Title
=====

Two Sun Alert Notifications:

1. 102041 - Security Vulnerability in the libexif JPEG Image
Processing Library

2. 102060 - Security Vulnerabilities in the traceroute(1M) Utility
may Allow Elevated Privileges

Detail
======

1. A security vulnerability in the libexif JPEG image processing library
may allow a remote unprivileged user who provides a carefully crafted
JPEG image the ability to execute arbitrary code with the privileges
of a local user who opens that image. Furthermore, a remote user may
be able to create a Denial of Service (DOS) attack by using a
carefully crafted JPEG image.

2. Multiple security vulnerabilities in the traceroute(1M) utility may
allow an unauthorized local user the ability to execute arbitrary code
with elevated privileges. The traceroute(1M) utility in Solaris 10 is
privilege aware and thus the only additional privilege available is
PRIV_NET_RAWACCESS (see privileges(5)). This limits the impact by only
allowing access to the network layer.



1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2005.0945 -- Sun Alert Notification 102041
Security Vulnerability in the libexif JPEG Image Processing Library
25 November 2005

===========================================================================

Product: libexif
Publisher: Sun Microsystems
Operating System: Solaris 10
Solaris 9
Sun Java Desktop System Release 2
Sun Java Desktop System 2003
Impact: Execute Arbitrary Code/Commands
Access: Remote/Unauthenticated
CVE Names: CAN-2005-0664

Ref: ESB-2005.0315

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102041-1

- - --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 102041
* Synopsis: Security Vulnerability in the libexif JPEG Image
Processing Library
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Sun Java Desktop System Release 2, Sun Java Desktop System 2003
* BugIDs: 6257383, 6345703
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 23-Nov-2005
* Date Closed: 23-Nov-2005
* Date Modified:

1. Impact

A security vulnerability in the libexif JPEG image processing library
may allow a remote unprivileged user who provides a carefully crafted
JPEG image the ability to execute arbitrary code with the privileges
of a local user who opens that image. Furthermore, a remote user may
be able to create a Denial of Service (DOS) attack by using a
carefully crafted JPEG image.

This issue may occur with applications linked against the libexif
library, including (but not limited to), the Eye of Gnome (eog)
application, which is distributed as part of the Java Desktop System.

Note: Most digital cameras produce EXIF files, which are Joint
Photographic Experts Group (JPEG) files with extra tags that contain
information about the image. The EXIF library allows you to parse an
EXIF file and read the data from those tags.

This issue is described in the following documents:
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0664
* http://www.novell.com/linux/security/advisories/2005_11_sr.html

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
* Solaris 10 without patch 121095-01

x86 Platform
* Java Desktop System (JDS) Release 2 (for Solaris 9) without patch
121093-01
* Solaris 10 without patch 121096-01

Linux
* Sun Java Desktop System (JDS) release 2003
* Sun Java Desktop System (JDS) Release 2 without the updated RPMs
(patch-9996)

Note: Solaris 8 and Solaris 9 are not affected by this issue.

The described issue only occurs on JDS for Linux with libexif versions
libexif-0.5.3-91 or earlier.

To determine if libexif is installed on a Solaris system, the
following command can be used:
% pkginfo SUNWlibexif
GNOME2 SUNWlibexif libexif

To determine the release of JDS for Linux installed on a system, the
following command can be used:
% cat /etc/sun-release
Sun Java Desktop System, Release 2 -build 10b (GA)
Assembled 30 March 2004

To determine the version of libexif installed on a JDS for Linux
system, the following command can be run:
% rpm -qf /usr/lib/libexif.so.5
libexif-0.5.3-91


3. Symptoms

There are no predictable symptoms that would indicate the described
issue has been exploited.

4. Relief/Workaround

To avoid the described issue, do not load JPEG images from untrusted
sources.

5. Resolution

This issue is addressed in the following releases:

SPARC Platform
* Solaris 10 with patch 121095-01 or later

x86 Platform
* Java Desktop System (JDS) Release 2 (for Solaris 9) with patch
121093-01 or later
* Solaris 10 with patch 121096-01 or later

Linux
* Sun Java Desktop System (JDS) Release 2 with the updated RPMs
(patch-9996)

To download and install the updated RPMs from the update servers,
select the following sequence from the "launch" menu:
Launch >> Applications >> System Tools >> Online Update

For more information on obtaining updates see:
* http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5
* http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7

Note: Sun Java Desktop System (JDS) release 2003 is no longer
supported and will require an upgrade to a later release with the
associated patches installed to address this issues.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- - --------------------------END INCLUDED TEXT--------------------

2.

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2005.0946 -- Sun Alert Notification 102060
Security Vulnerabilities in the traceroute(1M) Utility may
Allow Elevated Privileges
25 November 2005

===========================================================================



Product: traceroute
Publisher: Sun Microsystems
Operating System: Solaris 10
Impact: Increased Privileges
Access: Existing Account
CVE Names: CAN-2005-2071

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102060-1

- - --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 102060
* Synopsis: Security Vulnerabilities in the traceroute(1M) Utility
may Allow Elevated Privileges
* Category: Security
* Product: Solaris 10 Operating System
* BugIDs: 6290623, 6290611
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 23-Nov-2005
* Date Closed: 23-Nov-2005
* Date Modified:

1. Impact

Multiple security vulnerabilities in the traceroute(1M) utility may
allow an unauthorized local user the ability to execute arbitrary code
with elevated privileges. The traceroute(1M) utility in Solaris 10 is
privilege aware and thus the only additional privilege available is
PRIV_NET_RAWACCESS (see privileges(5)). This limits the impact by only
allowing access to the network layer.

These issues are described in the following document:
* http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2071

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
* Solaris 10 without patch 121012-01

x86 Platform
* Solaris 10 without patch 121013-01

Note: Solaris 8 and Solaris 9 are not affected by this issue.

3. Symptoms

There are no reliable symptoms that would indicate the described issue
has been exploited.

4. Relief/Workaround

To work around the described issue, the "set user ID bit" (suid) may
be removed from the traceroute(1M) binary (or the binary may be
removed altogether), which will render it unusable to non-root users.

To remove the suid bit, run the following command as root user:
# chmod u-s /usr/sbin/traceroute


5. Resolution

This issue is addressed in the following releases:

SPARC Platform
* Solaris 10 with patch 121012-01 or later

x86 Platform
* Solaris 10 with patch 121013-01 or later

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- - --------------------------END INCLUDED TEXT--------------------
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |