Vulnerability Note VU#575804

CDE libDtHelp vulnerable to buffer overflow via DTHELPUSERSEARCHPATH or DTHELPSEARCHPATH

Original Release date: 04 Nov 2003 | Last revised: 26 Aug 2004

Overview

There is a vulnerability in the Common Desktop Environment (CDE) for UNIX systems which can allow a local user to gain root privileges.

Description

The Common Desktop Environment (CDE) is a standard desktop environment for UNIX based systems. CDE libDtHelp contains a buffer overflow that can be exploited by a local user. By modifying the DTHELPUSERSEARCHPATH or DTHELPSEARCHPATH environment variables and invoking Help an attacker can gain elevated privileges. For example, since dtprintinfo is commonly setuid root, it may be exploited by a local user to gain root privileges. Other programs that run with elevated privileges and link libDtHelp are also potential attack vectors.

Impact

An authenticated local user may be able to execute arbitrary code with root privileges. The attacker may also be able to crash vulnerable programs causing a denial of service.

Solution

Apply Patch or Upgrade

Apply a patch or upgrade as advised by your vendor. See the Systems Affected section for more information.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Hewlett-Packard CompanyAffected09 Oct 200303 Dec 2003
IBM eServerAffected09 Oct 200304 Nov 2003
SCOAffected09 Oct 200305 Nov 2003
Sun Microsystems Inc.Affected09 Oct 200310 Nov 2003
Xi GraphicsAffected09 Oct 200304 Nov 2003
IBMNot Affected09 Oct 200304 Nov 2003
Cray Inc.Unknown09 Oct 200316 Oct 2003
Data GeneralUnknown09 Oct 200316 Oct 2003
Open GroupUnknown09 Oct 200316 Oct 2003
SGIUnknown09 Oct 200316 Oct 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Kevin Kotas of Computer Associates eTrust Vulnerability Manager. Thanks also to XiGraphics and SCO for information used in this document.

This document was written by Robert C. Seacord and Art Manion.

Other Information

  • CVE IDs: CAN-2003-0834
  • Date Public: 04 Nov 2003
  • Date First Published: 04 Nov 2003
  • Date Last Updated: 26 Aug 2004
  • Severity Metric: 2.81
  • Document Revision: 23

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.