=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2004/VULN412
_____________________________________________________________________

DATE                      : 21/09/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Solaris.

======================================================================

Sun(sm) Alert Notification

      * Sun Alert ID: 26359
      * Synopsis: Buffer overflow in Xsun(1) in Solaris
      * Category: Security
      * Product: Solaris
      * BugIDs: 4356377, 4425845
      * Avoidance: Workaround, Patch
      * State: Resolved
      * Date Released: 15-Nov-2001
      * Date Closed: 17-Sep-2004
      * Date Modified: 17-Sep-2004

1. Impact

    Unauthorized local users may be able to gain unauthorized root access
    on Solaris x86 systems or gid root access on Solaris SPARC systems due
    to a buffer overflow in the Xsun server.

2. Contributing Factors

    This problem can occur in the following releases:

    SPARC

      * Solaris 2.5 without patch [2]103210-31
      * Solaris 2.5.1 without patch [3]103566-56
      * Solaris 2.6 without patch [4]105633-55
      * Solaris 7 without patch 108376-25
      * Solaris 8 without patch 108652-30

    Intel

      * Solaris 2.5
      * Solaris 2.5.1
      * Solaris 2.6
      * Solaris 7 without patch [5]108088-06
      * Solaris 8 without patch [6]109401-07

3. Symptoms

    There are no symptoms that would show the described problem has been
    exploited to gain unauthorized root access or gid root access to a
    host.

    Solution Summary [7]Top

4. Relief/Workaround

    Change the permissions for the Xsun server using the following command
    as root:

         # chmod 0755 /usr/openwin/bin/Xsun

    Warning: changing the permissions of the Xsun server will cause
    command line programs which start the X server to fail, such as
    openwin(1) and xinit(1). Therefore, this should only be done on
    systems that are running CDE's dtlogin(1X) or xdm(1).

    One way to verify if using CDE's dtlogin is to check the file
    /etc/rc2.d and see if the S99dtlogin script is present. Then it is
    reasonably assured that dtlogin is started when the system boots.
    Alternatively, use the "ps" command:

         ps -elf | grep dtlogin

    to check if the "dtlogin" process is currently running, indicating
    that CDE is used on this machine.

5. Resolution

    This issue is addressed in the following releases:

    SPARC

      * Solaris 2.5 with patch [8]103210-31 or later
      * Solaris 2.5.1 with patch [9]103566-56 or later
      * Solaris 2.6 with patch [10]105633-55 or later
      * Solaris 7 with patch 108376-25 or later
      * Solaris 8 with patch 108652-30 or later

    Intel

      * Solaris 7 with patch [11]108088-06 or later
      * Solaris 8 with patch [12]109401-07 or later

Change History

    17-Sep-2004:

      * State: Resolved

    The problem described in this Sun(sm) Alert document may or may not be
    experienced by your particular system(s). The information in this
    Sun(sm) Alert document may be based upon information received from
    third-parties. It is being provided to you "as is", for informational
    purposes only. Sun does not make any representations, warranties, or
    guaranties as to the quality, suitability, truth, accuracy or
    completeness of any of the information. Sun shall not be liable for
    any losses or damages suffered as a result of Customer's use or
    non-use of the information.

References

    1. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-26359-1#top
    2. http://sunsolve.sun.com/search/document.do?assetkey=1-21-103210-31-1
    3. http://sunsolve.sun.com/search/document.do?assetkey=1-21-103566-56-1
    4. http://sunsolve.sun.com/search/document.do?assetkey=1-21-105633-55-1
    5. http://sunsolve.sun.com/search/document.do?assetkey=1-21-108088-06-1
    6. http://sunsolve.sun.com/search/document.do?assetkey=1-21-109401-07-1
    7. http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-26359-1#top
    8. http://sunsolve.sun.com/search/document.do?assetkey=1-21-103210-31-1
    9. http://sunsolve.sun.com/search/document.do?assetkey=1-21-103566-56-1
   10. http://sunsolve.sun.com/search/document.do?assetkey=1-21-105633-55-1
   11. http://sunsolve.sun.com/search/document.do?assetkey=1-21-108088-06-1
   12. http://sunsolve.sun.com/search/document.do?assetkey=1-21-109401-07-1

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================