| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Apr 2003 14:35:29 +0800 From: Alan Kong <kkkong@...cuhk.edu.hk> To: bugtraq@...urityfocus.com Subject: Re: NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability Dear All, I wonder Sunsolve has update the security patches. The following patches are still: Solaris 2.6 106027-11 Solaris 2.6_x86 106028-11 Solaris 7 107702-11 Solaris 7_x86 107703-11 Solaris 8 109354-18 Regards Alan NSFCOSU Security Team wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >NSFOCUS Security Advisory(SA2003-03) > >Topic: Solaris dtsession Heap Buffer Overflow Vulnerability > >Release Date: 2003-03-31 > >CVE CAN ID: CAN-2003-0092 > >Affected system: >=================== > >Sun Solaris 2.5.1 (SPARC/x86) >Sun Solaris 2.6 (SPARC/x86) >Sun Solaris 7 (SPARC/x86) >Sun Solaris 8 (SPARC/x86) >Sun Solaris 9 (SPARC/x86) > >Summary: >========= > >NSFOCUS Security Team has found a buffer overflow vulnerability in dtsession >which is an application in Sun Solaris system. Exploiting the vulnerability >local attackers could gain root privilege. > >Description: >============ > >dtsession is a CDE session manager. It provides session management functionality >that is compatible to ICCCM 1.1 during the users' session (from login to >logout). It launches a window manager and allows to save/restore/lock session, >to launch screen saver, and to allocate colors for desktop compatible clients. > >By default setuid root bit is set to CDE dtsession which is shipped >with Solaris. Because valid length check has not been implemented when >handling HOME variable, attackers could cause a heap buffer overflow. By >carefully crafting data attackers could run arbitrary code with root privilege. > >Workaround: >============= > >NSFOCUS suggests to disable suid root bit of dtsession temporarily: ># chmod a-s /usr/dt/bin/dtsession > >Note: This might prevent a user from being to unlock the screen >by the list of keyholders (including root). > >Vendor Status: >============== > >2002-12-11 Informed the vendor. >2002-12-13 The vendor confirmed the vulnerability. >2003-03-31 The vendor released a Sun Alert and patches for this issue. > >The Sun Alert is available at: >http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/52388 > >The patches are: > >Solaris 2.6 106027-12 >Solaris 2.6_x86 106028-12 >Solaris 7 107702-12 >Solaris 7_x86 107703-12 >Solaris 8 109354-19 >Solaris 8_x86 109355-18 >Solaris 9 114497-01 >Solaris 9_x86 114498-01 > > >Additional Information: >======================== > >The Common Vulnerabilities and Exposures (CVE) project has assigned the >name CAN-2003-0092 to this issue. This is a candidate for inclusion in the >CVE list (http://cve.mitre.org), which standardizes names for security >problems. Candidates may change significantly before they become official >CVE entries. > >DISCLAIMS: >========== >THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY >OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, >EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS >BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, >INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, >EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. >DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE >ADVISORY IS NOT MODIFIED IN ANY WAY. > >Copyright 1999-2003 NSFOCUS. All Rights Reserved. Terms of use. > > >NSFOCUS Security Team <security@...ocus.com> >NSFOCUS INFORMATION TECHNOLOGY CO.,LTD >(http://www.nsfocus.com) > >PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc >Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (GNU/Linux) > >iD8DBQE+iBQm1794d8am9toRAv3WAJ4994uHKPzSHnebVe+yIVszubgXlACfZTGU >CLatpbfB4pgze6IDBpxPOqc= >=16Ev >-----END PGP SIGNATURE----- >
Powered by blists - more mailing lists