Multiple Sun Database Functions Buffer Overflow Vulnerabilities

Type symantec
Reporter Symantec Security Response
Modified 2003-06-19T00:00:00



Sun dbm_open(), ndbm(), dbm() and dbminit() library functions have been reported prone to buffer overflow vulnerabilities. Each of these issues likely present themselves due to a lack of sufficient bounds checking performed when copying externally supplied data into an internal memory buffer. Excessive data supplied to one of the functions will overrun the boundary of the assigned buffer and corrupt adjacent memory. It should be noted that the vendor has discussed that the Solaris Xsun application is linked to the vulnerable library and runs as a privileged application. Therefore it may be possible for a local or remote attacker to exploit this condition to obtain root privileges.

Technologies Affected

  • Oracle Solaris 8
  • Oracle Solaris 9
  • Sun Solaris 2.6
  • Sun Solaris 2.6 X86
  • Sun Solaris 7.0
  • Sun Solaris 7.0 X86
  • Sun Solaris 8 Sparc
  • Sun Solaris 8 X86
  • Sun Solaris 9 Sparc
  • Sun Solaris 9 X86
  • Sun SunOS 5.9.0 X86
  • Sun SunOS 5.9.0


Audit the system and limit, or remove, access to setuid or setgid utilities.
Disabling setuid permissions on unnecessary programs may prevent the exploitation of latent vulnerabilities such as this. If setuid capabilities are required, restrict execute access to a trusted group.

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Do not permit such access except to trusted individuals.

Block external access at the network boundary, unless external parties require service.
If applicable, block external access to the affected system at the network boundary. Allow access for trusted users, hosts and networks only.

Run all software as a nonprivileged user with minimal access rights.
If applicable, run all server processes with the least possible privileges that allow normal functionality, in a chroot or jailed environment.

Implement multiple redundant layers of security.
An attackers ability to exploit this vulnerability, to execute arbitrary code, may be hindered through the use of various memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory segments.

This vendor has reported that this issue is addressed in the following releases; links to the patches can be obtained in the referenced advisory: SPARC Platform Solaris 2.6 with patches 105210-47, 105377-06 and 105401-43 or later for each listed patch Solaris 7 with patches 106541-22, 106942-26 and 106949-03 or later for each listed patch Solaris 8 with patches 108827-24, 108993-16 and 109152-02 or later for each listed patch Solaris 9 with patches 112874-01, 112922-02, 113319-10, 114569-02 and 114571-01 or later for each listed patch x86 Platform Solaris 2.6 with patches 105211-49 and 105402-43 or later for each listed patch Solaris 7 with patches 106542-22 and 106943-26 or later for each listed patch Solaris 8 with patches 108828-25, 108994-16 and 114617-01 or later for each listed patch Solaris 9 with patches 113719-03, 114570-01 and 114715-01 or later for each listed patch Fixes: