Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Fri, 17 Nov 2006 10:06:30 +0100
Type : VULN
Sujet : CERT-Renater : 2006/VULN534 (Sun: Security Vulnerability With Integer Multiplication Within libXfont)
====================================================================                                    CERT-Renater

                         Note d'Information No. 2006/VULN534
_____________________________________________________________________

DATE                      : 17/11/2006

HARDWARE PLATFORM(S)      :

OPERATING SYSTEM(S)       : Solaris 9, Solaris 8, Solaris 10 running libXfont.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 102714
      * Synopsis: Security Vulnerability With Integer Multiplication
        Within libXfont Affects Solaris X11 Servers
      * Category: Security
      * Product: Solaris 9 Operating System, Solaris 10 Operating System,
        Solaris 8 Operating System
      * BugIDs: 6465806, 6465805
      * Avoidance: Workaround
      * State: Workaround
      * Date Released: 14-Nov-2006
      * Date Closed:
      * Date Modified:

1. Impact

    The Xsun(1) server and Xorg(1) server are the X display servers for
    Version 11 of the X window system on Solaris.

    There exists an overflow vulnerability when performing integer
    multiplication within the libXfont library, as used by the X11 display
    servers, that can cause a heap overflow while loading the fonts. This
    may allow a local unprivileged user to be able to execute arbitrary
    commands with elevated privileges or create a Denial of Service (DoS)
    to the display managers.

    This issue is described in the following documents:
      * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467
      * http://www.idefense.com/intelligence/vulnerabilities/display.ph
        p?idA2

2. Contributing Factors

    This issue can occur in the following releases:

    SPARC Platform
      * Solaris 8
      * Solaris 9
      * Solaris 10

    x86 Platform
      * Solaris 8
      * Solaris 9
      * JDS release 2 (for Solaris 9)
      * Solaris 10

    Note: Xorg(1) is not shipped in Solaris 8

    To determine the version of JDS that is currently installed on the
    system, run the following command (output will vary by platform):
     % grep platform /usr/share/gnome/gnome-about/gnome-version.xml
     2

    Alternatively (for the same results), in a terminal window from within
    the GNOME desktop, the following command can be run:
     % /usr/bin/gnome-about


3. Symptoms

    There are no predictable symptoms that would indicate that this issue
    has been exploited to execute arbitrary commands with elevated
    privileges. The symptom of the Denial of Service (DoS) would be the
    absence of either the Xsun(1) or Xorg(1) server running on the system.

4. Relief/Workaround

    To prevent this issue from being exploited to execute arbitrary
    commands with elevated privileges, the setuid(2) bit can be removed
    from the Xorg server and the Xsun server on the x86 platform and the
    setgid(2) bit can be removed from the Xsun server on the SPARC
    platform. For example:
     # chmod 0755 /usr/openwin/bin/Xsun
     # chmod 0755 /usr/X11/bin/Xorg

    Note 1: Performing the above procedure will disable the following:
      * The ability to start either the Xsun(1) or Xorg(1) server from the
        command line for non-root users on the Solaris x86 platform.
      * The ability of Xsun(1) and Xorg(1) to open Unix domain sockets and
        named pipe transports in the protected "/tmp/.X11-*" directories.
      * The ability to configure Power Management and Interactive Process
        Priority control on Solaris SPARC.

    These features will still be available to Xsun and Xorg when started
    via a display manager such as dtlogin(1), gdm(1), or xdm(1).

    Note 2: There is no workaround to prevent this issue from being
    exploited to cause a Denial Of Service to the X Servers.

    Note 3: The "chmod" command for Xorg(1) is applicable only to Solaris
    9 and 10.

5. Resolution

    A final resolution for Solaris is pending completion.

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================