The CERT Coordination Center at Carnegie Mellon University in Pittsburgh has issued an advisory on four vulnerabilities in the Common Desktop Environment (CDE). CERT recommends that users install appropriate vendor patches as soon as possible. Until that's possible, CERT suggests disabling or uninstalling vulnerable copies of the CDE package, which it warns will severely affect the utility of the environment.
While CERT says that it hasn't received reports of the vulnerabilities being exploited by intruders, the organization is posting information about patches on its Web site.
CDE is an effort by various Unix vendors to offer a similar look and feel to users.
The first vulnerability involves the ToolTalk messaging server "ttsession," allowing independent applications to communicate without direct knowledge of one another. CERT points out that on many systems, ttsession uses certain environmental variables supplied by the client and can be manipulated to execute unauthorized arbitrary programs with the same privileges as the attacked ttsession.
In the second vulnerability, the network daemon "dtspcd," a CDE desktop subprocess control program, accepts CDE requests from clients to execute commands and remotely launch applications. A local user could manipulate authentication files and issue commands that could run as root.
The third vulnerability warns of a possible CDE "dtaction" buffer overflow. CERT notes that a buffer overflow can occur in some implementations of dtaction when a "username" argument greater than 1,024 bytes is used. A local user could exploit this hole to execute arbitrary code with root privilege, says CERT.
The final potential flaw points to a vulnerability in some implementations of the ToolTalk shared library. According to CERT, a "setuid" root program using a vulnerable ToolTalk library, such as "dtsession," could be exploited to run arbitrary code as root.