Date: 12 March 2007
References: ESB-2006.0597 ESB-2006.0661 ESB-2006.0662
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-2006.0848 -- [Solaris]
Security Vulnerability With Integer Multiplication Within
libXfont Affects Solaris X11 Servers
12 March 2007
AusCERT Security Bulletin Summary
Product: Solaris 9, Solaris 10, Solaris 8 Operating Systems
Publisher: Sun Microsystems
Operating System: Solaris
Impact: Increased Privileges
Execute Arbitrary Code/Commands
Denial of Service
CVE Names: CVE-2006-3467
Revision History: March 12 2007: Resolved by Sun.
January 24 2006: Updated to reference X.Org patches
November 20 2006: Updated details, patch released.
November 16 2006: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Sun(sm) Alert Notification
* Sun Alert ID: 102714
* Synopsis: Security Vulnerability With Integer Multiplication
Within libXfont Affects Solaris X11 Servers
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6465806, 6465805
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 14-Nov-2006, 09-Mar-2007
* Date Closed: 09-Mar-2007
* Date Modified: 16-Nov-2006, 22-Jan-2007, 09-Mar-2007
The Xsun(1) server and Xorg(1) server are the X display servers for
Version 11 of the X window system on Solaris.
There exists an overflow vulnerability when performing integer
multiplication within the libXfont library, as used by the X11 display
servers, that can cause a heap overflow while loading the fonts. This
may allow a local unprivileged user to be able to execute arbitrary
commands with elevated privileges or create a Denial of Service (DoS)
to the display managers.
This issue is described in the following documents:
2. Contributing Factors
This issue can occur in the following releases:
* Solaris 8 without patch 119067-04
* Solaris 9 without patch 112785-57
* Solaris 10 without patch 119059-19
* Solaris 8 without patch 119068-04
* Solaris 9 without patch 112786-46
* JDS release 2 (for Solaris 9) without patch 124833-01
* Solaris 10 without patch 119060-18
* Solaris 10 with X.Org without patches 119060-18 and
Note: Xorg(1) is not shipped in Solaris 8
To determine the version of JDS that is currently installed on the
system, run the following command (output will vary by platform):
% grep platform /usr/share/gnome/gnome-about/gnome-version.xml
Alternatively (for the same results), in a terminal window from within
the GNOME desktop, the following command can be run:
There are no predictable symptoms that would indicate that this issue
has been exploited to execute arbitrary commands with elevated
privileges. The symptom of the Denial of Service (DoS) would be the
absence of either the Xsun(1) or Xorg(1) server running on the system.
To prevent this issue from being exploited to execute arbitrary
commands with elevated privileges, the setuid(2) bit can be removed
from the Xorg server and the Xsun server on the x86 platform and the
setgid(2) bit can be removed from the Xsun server on the SPARC
platform. For example:
# chmod 0755 /usr/openwin/bin/Xsun
# chmod 0755 /usr/X11/bin/Xorg
Note 1: Performing the above procedure will disable the following:
* The ability to start either the Xsun(1) or Xorg(1) server from the
command line for non-root users on the Solaris x86 platform.
* The ability of Xsun(1) and Xorg(1) to open Unix domain sockets and
named pipe transports in the protected "/tmp/.X11-*" directories.
* The ability to configure Power Management and Interactive Process
Priority control on Solaris SPARC.
These features will still be available to Xsun and Xorg when started
via a display manager such as dtlogin(1), gdm(1), or xdm(1).
Note 2: There is no workaround to prevent this issue from being
exploited to cause a Denial Of Service to the X Servers.
Note 3: The "chmod" command for Xorg(1) is applicable only to Solaris
9 and 10.
Note 4: Local users on the console of a system using an X display
manager and Sun Ray users may still be able to exploit this
vulnerability to execute arbitrary commands with elevated privileges
even if the setuid and setgid permissions have been removed from the
Xsun and Xorg binaries.
This issue is addressed in the following releases:
* Solaris 8 with patch 119067-04 or later
* Solaris 9 with patch 112785-57 or later
* Solaris 10 with patch 119059-19 or later
* Solaris 8 with patch 119068-04 or later
* Solaris 9 with patch 112786-46 or later
* JDS release 2 (for Solaris 9) with patch 124833-01 or later
* Solaris 10 with patch 119060-18 or later
* Solaris 10 with X.Org patches 119060-18 or later and
119062-02 or later
* Updated Contributing Factors, Relief/Workaround, and Resolution
* Updated Contributing Factors and Resolution sections
* State: Resolved
* Updated Contributing Factors and Relief/Workaround sections
This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
notification may only be used for the purposes contemplated by these
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----