Solaris Xsun Buffer Overrun Vulnerability
Patches have been made available on SunSolve for Solaris 8, sparc and x86. They are currently only for contract customers. Presumably, Solaris 7 patches are forthcoming, and will also be available at SunSolve. Due to the nature of this vulnerability, these patches should be made public shortly. Patches for this, and other vulnerabilities in Sun products are available at http://sunsolve.sun.com
Removal of the setgid bit on the binary does not seem to have any noticeable negative effects, and will eliminate this vulnerability, on the Sparc platform. It will disable the ability of the Xserver to manage display power and adjust the priority of processes in the "IA" class (allowing the window in the foreground to have an elevated priority). Running under xdm, with the setgid bit removed, will re-enable this feature.
x86 users may find that they need Xsun to run as root in order to access the video device. In this case, a suitable solution is to remove the setuid bit, and launch X only via the dtlogin program, or xdm. dtconfig -e will enable this.
Sun Solaris 7.0_x86
Sun Solaris 7.0
Sun Solaris 8_x86
Sun Solaris 8_sparc