Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > November 2006 > Sun Security Advisory: Sun Alert ID: 102714 - Security Vulnerability With Integer Multiplication Within libXfont Affects Solaris X11 Servers

November 2006

Sun Security Advisory: Sun Alert ID: 102714 - Security Vulnerability With Integer Multiplication Within libXfont Affects Solaris X11 Servers

ID: 00792
Ref: 751/2006
Date: 16 November 2006:14:15:23
Version: 1
Title: Sun Security Advisory: Sun Alert ID: 102714 - Security Vulnerability With Integer Multiplication Within libXfont Affects Solaris X11 Servers
Abstract:
Vendors affected: Sun
Operating systems affected: Sun
Applications affected: Sun
Title
=====

Sun Security Advisory: Sun Alert ID: 102714 - Security Vulnerability With Integer
Multiplication Within libXfont Affects Solaris X11 Servers

Detail
======

The Xsun(1) server and Xorg(1) server are the X display servers for
Version 11 of the X window system on Solaris.
There exists an overflow vulnerability when performing integer
multiplication within the libXfont library, as used by the X11 display
servers, that can cause a heap overflow while loading the fonts. This
may allow a local unprivileged user to be able to execute arbitrary
commands with elevated privileges or create a Denial of Service (DoS)
to the display managers.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================


ESB-2006.0848 -- [Solaris]
Security Vulnerability With Integer Multiplication Within
libXfont Affects Solaris X11 Servers
16 November 2006

===========================================================================



Product: Solaris 9, Solaris 10, Solaris 8 Operating Systems
Publisher: Sun Microsystems
Operating System: Solaris
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2006-3467

Ref: ESB-2006.0662
ESB-2006.0661
ESB-2006.0597

Original Bulletin:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-102714-1

- - --------------------------BEGIN INCLUDED TEXT--------------------

Sun(sm) Alert Notification
* Sun Alert ID: 102714
* Synopsis: Security Vulnerability With Integer Multiplication
Within libXfont Affects Solaris X11 Servers
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6465806, 6465805
* Avoidance: Workaround
* State: Workaround
* Date Released: 14-Nov-2006
* Date Closed:
* Date Modified:

1. Impact

The Xsun(1) server and Xorg(1) server are the X display servers for
Version 11 of the X window system on Solaris.

There exists an overflow vulnerability when performing integer
multiplication within the libXfont library, as used by the X11 display
servers, that can cause a heap overflow while loading the fonts. This
may allow a local unprivileged user to be able to execute arbitrary
commands with elevated privileges or create a Denial of Service (DoS)
to the display managers.

This issue is described in the following documents:
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
* http://www.idefense.com/intelligence/vulnerabilities/display.ph
p?id=412

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform
* Solaris 8
* Solaris 9
* Solaris 10

x86 Platform
* Solaris 8
* Solaris 9
* JDS release 2 (for Solaris 9)
* Solaris 10

Note: Xorg(1) is not shipped in Solaris 8

To determine the version of JDS that is currently installed on the
system, run the following command (output will vary by platform):
% grep platform /usr/share/gnome/gnome-about/gnome-version.xml
2

Alternatively (for the same results), in a terminal window from within
the GNOME desktop, the following command can be run:
% /usr/bin/gnome-about


3. Symptoms

There are no predictable symptoms that would indicate that this issue
has been exploited to execute arbitrary commands with elevated
privileges. The symptom of the Denial of Service (DoS) would be the
absence of either the Xsun(1) or Xorg(1) server running on the system.

4. Relief/Workaround

To prevent this issue from being exploited to execute arbitrary
commands with elevated privileges, the setuid(2) bit can be removed
from the Xorg server and the Xsun server on the x86 platform and the
setgid(2) bit can be removed from the Xsun server on the SPARC
platform. For example:
# chmod 0755 /usr/openwin/bin/Xsun
# chmod 0755 /usr/X11/bin/Xorg

Note 1: Performing the above procedure will disable the following:
* The ability to start either the Xsun(1) or Xorg(1) server from the
command line for non-root users on the Solaris x86 platform.
* The ability of Xsun(1) and Xorg(1) to open Unix domain sockets and
named pipe transports in the protected "/tmp/.X11-*" directories.
* The ability to configure Power Management and Interactive Process
Priority control on Solaris SPARC.

These features will still be available to Xsun and Xorg when started
via a display manager such as dtlogin(1), gdm(1), or xdm(1).

Note 2: There is no workaround to prevent this issue from being
exploited to cause a Denial Of Service to the X Servers.

Note 3: The "chmod" command for Xorg(1) is applicable only to Solaris
9 and 10.

5. Resolution

A final resolution for Solaris is pending completion.

This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.

Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved

- - --------------------------END INCLUDED TEXT--------------------



iQCVAwUBRVv1RSh9+71yA2DNAQKi4QP9GxKEVqxE8xWCWLXOgYn3q/lsJ07GZl+M
R1VmxUrFhPLH8NH4Bmv+PobUkMkqRWf5sxXn6VcFglKNoL3hWBXc85ZUu4GBc0M/
uuWfLzLJbbBWCwYiSaNBF0WzLdpfSrpgyDhGmZG8F1sN1T1gZg4Y7kZtqfZ8INxs
0NhS+HOQ+Vs=
=xSP+
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |