Solaris Xsun Buffer Overrun Vulnerability

BID:1140

Info

Solaris Xsun Buffer Overrun Vulnerability

Bugtraq ID: 1140
Class: Unknown
CVE:
Remote: No
Local: Yes
Published: Apr 24 2000 12:00AM
Updated: Apr 24 2000 12:00AM
Credit: This vulnerability was posted to the Bugtraq mailing list by Theodor Ragnar Gislason <[email protected]> on April 24, 2000.
Vulnerable: Sun Solaris 8_x86
Sun Solaris 8_sparc
Sun Solaris 7.0_x86
Sun Solaris 7.0
Not Vulnerable:

Exploit / POC

Solaris Xsun Buffer Overrun Vulnerability

Exploit available:

Solution / Fix

Solaris Xsun Buffer Overrun Vulnerability

Solution:
Patches have been made available on SunSolve for Solaris 8, sparc and x86. They are currently only for contract customers. Presumably, Solaris 7 patches are forthcoming, and will also be available at SunSolve. Due to the nature of this vulnerability, these patches should be made public shortly. Patches for this, and other vulnerabilities in Sun products are available at http://sunsolve.sun.com

Removal of the setgid bit on the binary does not seem to have any noticeable negative effects, and will eliminate this vulnerability, on the Sparc platform. It will disable the ability of the Xserver to manage display power and adjust the priority of processes in the "IA" class (allowing the window in the foreground to have an elevated priority). Running under xdm, with the setgid bit removed, will re-enable this feature.

x86 users may find that they need Xsun to run as root in order to access the video device. In this case, a suitable solution is to remove the setuid bit, and launch X only via the dtlogin program, or xdm. dtconfig -e will enable this.


Sun Solaris 7.0_x86
  • Sun 108377-07


Sun Solaris 7.0
  • Sun 108376-08


Sun Solaris 8_x86
  • Sun 108653-08


Sun Solaris 8_sparc
  • Sun 108652-08

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report