• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Multiple Vendor CDE TTSession Buffer Overflow Vulnerability

Severity: HIGH

Description:

CDE is the Common Desktop Environment, an implementation of a Desktop Manager for systems that run X. It is distributed with various commercial UNIX implementations.

A problem has been discovered in a program packaged with CDE that could allow a local user to gain elevated privileges. The problem is in the libtt.so library.

The libtt.so shared library under certain versions of CDE handles a user defined variable titled TT_SESSION. The code which handles this variable does not place a restriction on its size. At least one of the CDE programs which rely on this variable do not have sufficient bounds checking in place for this variable. This can result in a buffer overflow. The program in question is dtsession.

Due to the fact that dtsession is running setuid root and does not remove the root privilege (at least as tested on Solaris), the overflow can lead to local root compromise.

Affected Products:

• Digital (Compaq) TRU64/DIGITAL UNIX 4.0.0d
• Digital (Compaq) TRU64/DIGITAL UNIX 4.0.0f
• IBM AIX 4.1.0
• IBM AIX 4.1.1
• IBM AIX 4.1.2
• IBM AIX 4.1.3
• IBM AIX 4.1.4
• IBM AIX 4.1.5
• IBM AIX 4.2.0
• IBM AIX 4.2.1
• IBM AIX 4.3.0
• IBM AIX 4.3.1
• IBM AIX 4.3.2
• Open Group CDE Common Desktop Environment 1.0.1
• Open Group CDE Common Desktop Environment 1.0.2
• Open Group CDE Common Desktop Environment 1.1.0
• Open Group CDE Common Desktop Environment 1.2.0
• Open Group CDE Common Desktop Environment 2.0.0
• Open Group CDE Common Desktop Environment 2.1.0
• Open Group CDE Common Desktop Environment 2.1.020
• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.10f
• SGI IRIX 6.5.10m
• SGI IRIX 6.5.11
• SGI IRIX 6.5.11f
• SGI IRIX 6.5.11m
• SGI IRIX 6.5.12
• SGI IRIX 6.5.12 f
• SGI IRIX 6.5.12 m
• SGI IRIX 6.5.13
• SGI IRIX 6.5.13 f
• SGI IRIX 6.5.13 m
• SGI IRIX 6.5.14
• SGI IRIX 6.5.2
• SGI IRIX 6.5.2f
• SGI IRIX 6.5.2m
• SGI IRIX 6.5.3
• SGI IRIX 6.5.3f
• SGI IRIX 6.5.3m
• SGI IRIX 6.5.4
• SGI IRIX 6.5.4f
• SGI IRIX 6.5.4m
• SGI IRIX 6.5.5
• SGI IRIX 6.5.5f
• SGI IRIX 6.5.5m
• SGI IRIX 6.5.6
• SGI IRIX 6.5.6f
• SGI IRIX 6.5.6m
• SGI IRIX 6.5.7
• SGI IRIX 6.5.7f
• SGI IRIX 6.5.7m
• SGI IRIX 6.5.8
• SGI IRIX 6.5.8f
• SGI IRIX 6.5.8m
• SGI IRIX 6.5.9
• SGI IRIX 6.5.9f
• SGI IRIX 6.5.9m
• Sun Solaris 2.3.0
• Sun Solaris 2.4.0
• Sun Solaris 2.4.0_x86
• Sun Solaris 2.5.0
• Sun Solaris 2.5.0_x86
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 9
• Sun Solaris 9_x86
• Sun Solaris 9_x86 Update 2
• Sun SunOS 4.1.3 _U1
• Sun SunOS 4.1.4

References:

• CERT/CC: CERT Coordination Center
• Digital Equipment Corporation: Digital Equipment Corporation
• IBM: AIX Fix Distribution Service
• IBM: IBM Support Databases
• ITSX: ITSX Home Page
• Sun Microsystems: Sun Patch Access Page
• Sun Microsystems: Sun Patches List
• Sun Microsystems: Sunsolve Online(tm)
• The Open Group: The Open Group CDE Support Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.