[Sun] Schwachstelle in libXpm betrifft Motif Bibliothek (libXm) - Sun Alert ID: 57653

win-sec-ssc at dfn-cert.de win-sec-ssc at dfn-cert.de
Tue Oct 12 14:16:40 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

Die Xpm-Bibliothek stellt Routinen zur Verarbeitung von Pixmaps bereit.
Da die Motif-Bibliothek (libXm) Teile der verwundbaren Xpm-Bibliothek
beinhaltet, ist diese von der Schwachstelle betroffen.

CAN-2004-0687 - Mehrere Stack Overflows in libXpm

  Es existiert ein Fehler bei der Behandlung von 8-Bit RLE enkodierten
  Xpm-Bildern in der Xpm-Bibliothek, durch den ein Heap Overflow
  ausgeloest werden kann. Bei erfolgreicher Ausnutzung der Schwachstelle
  kann ein Angreifer beliebigen Code mit den Rechten der Anwendung
  ausfuehren, welche die Bibliothek verwendet.

CAN-2004-0688 - Integer Overflow in libXpm

  In der Bibliothek libXpm, genauer in der Funktion xpmParseColors (in
  der Datei parse.c) kann ein Integer Overflow auftreten. Ein Angreifer
  kann diese Schwachstelle dazu ausnutzen, beliebigen Code mit den
  Privilegien des Benutzers der Anwendung auszufuehren, welche die
  libXpm verwendet. Dazu muss der Benutzer dazu gebracht werden, ein
  entsprechend aufgebautes Xpm-Bild mit der Anwendung zu dekodieren.


Betroffen sind die folgenden Software Pakete und Plattformen:

  libXm Bibliothek (Sun Java Desktop System (JDS): Open Motif Versionen
  vor inkl. openmotif-2.2.2-502).

  Sun Solaris 7, 8 und 9 unter Sparc und X64 Plattform
  Sun Java Desktop System (JDS) 2003 ohne patch-9400
  Sun Java Desktop System (JDS) Release 2 ohne patch-9400
      

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,


           Jan Kohlrausch, DFN-CERT

- --
Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH
Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555
PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78  5B 40 DA B7 14 F7 C9 E8


*Document ID:*	57653
*Title:*	Document ID 57653
*Synopsis:*	libXpm Security Vulnerabilities Affect the Motif Library
(libXm)
*Update Date:*	2004-10-08

- ------------------------------------------------------------------------
*Description*	*Top <#top>*


    Sun(sm) Alert Notification

    * Sun Alert ID: 57653
    * Synopsis: libXpm Security Vulnerabilities Affect the Motif Library
      (libXm)
    * Category: Security
    * Product: Solaris Common Desktop Environment (CDE), Sun Java
      Desktop System (JDS)
    * BugIDs: 5086486, 6175145
    * Avoidance: Patch, Workaround
    * State: Committed
    * Date Released: 08-Oct-2004
    * Date Closed:
    * Date Modified: 


    1. Impact

Several security vulnerabilities have been reported in the X Pixmap
(libXpm) library which also affect the Motif library (libXm) shipped
with Solaris and JDS for Linux since libXm includes the affected libXpm
routines. These security vulnerabilities may allow a remote unprivileged
user to execute arbitrary code with the privileges of a local user if
that user loads an X Pixmap (.xpm) format image file from an untrusted
source with an application that is linked with the Motif library (libXm).

*Note:* The Motif library (libXm) can be used to manipulate and display
small images in Motif applications.

This issue is also described in the following documents:

Chris Evans Security Advisory (CESA) 2004.003 at
http://scary.beasts.org/security/CESA-2004-003.txt

CAN-2004-0687 at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687

CAN-2004-0688 at
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0688


    2. Contributing Factors

This issue can occur in the following releases:

*SPARC Platform*

    * Solaris 7
    * Solaris 8
    * Solaris 9 

*x86 Platform*

    * Solaris 7
    * Solaris 8
    * Solaris 9 

*Linux Platform*

    * Sun Java Desktop System (JDS) 2003 without the updated RPMs
      (patch-9400)
    * Sun Java Desktop System (JDS) Release 2 without the updated RPMs
      (patch-9400) 

*Notes:*

   1. JDS for Solaris is not impacted by this issue.
   2. This issue only occurs with Open Motif versions
      openmotif-2.2.2-502 or earlier. 

To determine if a Solaris application is linked with the libXm library,
the ldd(1) can be utilized. For example:

    $ *ldd /usr/dt/bin/uil | grep libXm.so *
    libXm.so.4 =>    /usr/dt/lib/libXm.so.4      

To determine if a Linux application is linked with the libXm library,
the ldd(1) utility can be utilized. For example:

    $ *ldd /usr/X11R6/bin/uil | grep libXm*
    libXm.so.3 => /usr/X11R6/lib/libXm.so.3 (0x40033000)                        

To determine the release of JDS for Linux installed on a system, the
following command can be run:

    % *cat /etc/sun-release*
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004                              

To determine the version of Open Motif, the following command can be run:

    % *rpm -qf /usr/X11R6/lib/libXm.so.3*
    openmotif-2.2.2-522                              


    3. Symptoms

There are no predictable symptoms that would indicate the described
issue has been exploited.

*Solution Summary*	*Top <#top>*


    4. Relief/Workaround

To work around the described issue, do not load X PixMap (.xmp) images
from untrusted sources.


    5. Resolution

This issue is resolved in the following releases:

*Linux Platform*

    * Sun Java Desktop System (JDS) 2003 with the updated RPMs (patch-9400)
    * Sun Java Desktop System (JDS) Release 2 with the updated RPMs
      (patch-9400) 

To download and install the updated RPMs from the update servers, select
the following from the "launch" bar:

    Launch >> Applications >> System Tools >> Online Update                              

A final resolution for the Solaris Platforms is pending completion.

/This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements./

/Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved./

*Applies To*	

*Attachments*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iQEVAwUBQWvKeuI9ttyl3QPRAQGq/Qf8C5lQ4OW35UJze2aN9imYDClUtwOzY3W0
O11LF4vBrUakMptxe2GQDc3+vxmZWSQBNqwFVRzYLfIt08My36+GwedLbsxdA5Jy
a12b0rFRWeYWq0b2DgndX9FhvD6MEDAZp9aGjty7YtC7jTVeKg2j8sybExZK5xOr
Fq77bfYwoFVeVZ+TUPwGrgZkdEX5JLnXf36G8NZTiawOKh5/fN9nJHBh6sVuyX3x
Cx8SoB2WiOtDLpuPfNqVtkJHZeYgMe7UYbDsJD56jfq3391XH7sh2I1XTCUcQhl6
tfHAUTJFmAIhrLRAM+T940KJpsBjEgwFHwdaecJ03SYXn3bDd031GQ==
=b1iO
-----END PGP SIGNATURE-----




More information about the Security-Announce mailing list