4.1 20051116211256 Sun Solaris 8 kcms_configure David Proulx kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0594 ACCEPTED 1 Sun Solaris 8 libnsl David Proulx Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Sun Solaris 8 xlock David Proulx Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0652 ACCEPTED 1 Sun Solaris 8 snmpdx David Proulx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0796 ACCEPTED 1 Sun Solaris 8 Xsun David Proulx Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. CVE-2002-0158 ACCEPTED 1 Sun Solaris 8 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 1 Sun Solaris 8 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. CVE-2002-0033 ACCEPTED 3 Sun Solaris 7 Xsun David Proulx Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. CVE-2002-0158 ACCEPTED 1 Sun Solaris 7 whodo David Proulx Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1076 ACCEPTED 1 Sun Solaris 7 rpc.rwalld David Proulx Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. CVE-2002-0573 ACCEPTED 1 Sun Solaris 7 libnsl David Proulx Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. CVE-2002-0391 ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. CVE-2002-0084 ACCEPTED 2 Sun Solaris 8 whodo David Proulx Buffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable. CVE-2001-1076 ACCEPTED 1 Sun Solaris 7 admintool David Proulx Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. CVE-2002-0088 ACCEPTED 1 Sun Solaris 8 rpc.yppasswdd David Proulx Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0779 ACCEPTED 1 Sun Solaris 8 admintool David Proulx Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. CVE-2002-0088 ACCEPTED 1 Sun Solaris 7 mibiisa David Proulx Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0797 ACCEPTED 1 Sun Solaris 7 kcms_configure David Proulx kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. CVE-2001-0594 ACCEPTED 1 Sun Solaris 8 admintool David Proulx Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. CVE-2002-0089 ACCEPTED 1 Sun Solaris 7 admintool David Proulx Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. CVE-2002-0089 ACCEPTED 1 Sun Solaris 8 dtspcd David Proulx Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands CVE-2001-0803 ACCEPTED 1 Sun Solaris 7 dtspcd David Proulx Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands CVE-2001-0803 ACCEPTED 1 Sun Solaris 8 rpc.rwalld David Proulx Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. CVE-2002-0573 ACCEPTED 1 Sun Solaris 7 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 1 Sun Solaris 8 lbxproxy David Proulx Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. CVE-2002-0090 ACCEPTED 1 Sun Solaris 7 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 1 Sun Solaris 8 mibiisa David Proulx Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0797 ACCEPTED 1 Sun Solaris 8 cachefsd David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. CVE-2002-0084 ACCEPTED 2 Sun Solaris 7 rpc.yppasswdd David Proulx Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. CVE-2001-0779 ACCEPTED 1 Sun Solaris 7 snmpdx David Proulx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. CVE-2002-0796 ACCEPTED 1 Sun Solaris 7 kcms_server David Proulx Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Sun Solaris 7 cachefsd David Proulx Brian Soby INTERIM ACCEPTED Heap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name. CVE-2002-0033 ACCEPTED 2 Sun Solaris 7 xlock David Proulx Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. CVE-2001-0652 ACCEPTED 1 Sun Solaris 8 fs.auto, xfs David Proulx Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 2 Sun Solaris 7 fs.auto, xfs David Proulx Buffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query. CVE-2002-1317 ACCEPTED 2 Sun Solaris 8 CDE David Proulx CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. CVE-2002-0678 ACCEPTED 1 Sun Solaris 7 CDE David Proulx Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. CVE-2002-0679 ACCEPTED 1 Sun Solaris 7 lbxproxy David Proulx Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. CVE-2002-0090 ACCEPTED 1 Sun Solaris 8 CDE David Proulx Buffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure. CVE-2002-0679 ACCEPTED 1 Sun Solaris 8 kcms_server David Proulx Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Sun Solaris 9 Bind Brian Soby DRAFT INTERIM ACCEPTED BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. CVE-2002-1220 ACCEPTED 1 Sun Solaris 7 Xsun Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. CVE-2001-0422 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. CVE-2004-1351 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 snmpdx Brian Soby DRAFT INTERIM ACCEPTED Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. CVE-2002-0012 ACCEPTED 1 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Brian Soby Brian Soby INTERIM ACCEPTED CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. CVE-2002-0677 ACCEPTED 2 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby DRAFT INTERIM ACCEPTED MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. CVE-2003-0058 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 uucp Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM ACCEPTED Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. CVE-2004-1359 ACCEPTED 2 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. CVE-2004-0760 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sadmin Brian Soby Brian Soby DRAFT INTERIM ACCEPTED The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets. CVE-2003-0722 ACCEPTED 1 Sun Solaris 7 CDE Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Double-free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. CVE-2004-0368 ACCEPTED 1 Sun Solaris 9 Samba Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string. CVE-2002-1318 ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. CVE-2004-0599 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Solaris Management Console (SMC) Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM INTERIM ACCEPTED The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack. CVE-2004-1354 ACCEPTED 2 Sun Solaris 8 tcsh Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges. CVE-2003-1024 ACCEPTED 2 Sun Solaris 8 Licence Logging Service Brian Soby DRAFT INTERIM ACCEPTED gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files. CVE-2004-1349 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 sendfilev() Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. CVE-2004-1356 ACCEPTED 2 Sun Solaris 8 Sun Enterprise Storage Manager (ESM) Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 /usr/lib/print/conv_fix Brian Soby DRAFT INTERIM ACCEPTED INTERIM DRAFT INTERIM ACCEPTED Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files. CVE-2004-1360 ACCEPTED 2 Sun Solaris 7 NIS Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code. CVE-2001-1328 ACCEPTED 1 Sun Solaris 7 dtspcd Brian Soby DRAFT INTERIM ACCEPTED The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. CVE-1999-0689 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 CDE Brian Soby DRAFT INTERIM ACCEPTED Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. CVE-2003-0092 ACCEPTED 1 Sun Solaris 9 Solaris Management Console (SMC) Brian Soby DRAFT INTERIM ACCEPTED Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. CVE-2003-0466 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Apache Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." CVE-2004-0174 ACCEPTED 1 Sun Solaris 7 Solaris Enterprise Authentication Mechanism (SEAM) Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. CVE-2004-0523 ACCEPTED 1 Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED Brian Soby Brian Soby INTERIM ACCEPTED ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value. CVE-2003-0914 ACCEPTED 2 Sun Solaris 7 login Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. CVE-2001-0797 ACCEPTED 1 Sun Solaris 9 pam_krb5 Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files. CVE-2004-0653 ACCEPTED 1 Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. CVE-2002-1221 ACCEPTED 1 Sun Solaris 9 Kerberos5 Brian Soby DRAFT Brian Soby INTERIM ACCEPTED The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. CVE-2004-0644 ACCEPTED 1 Sun Solaris 9 Samba Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. CVE-2003-0201 ACCEPTED 1 Sun Solaris 9 Sendmail Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server. CVE-2002-0906 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sendmail Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c. CVE-2002-1337 ACCEPTED 1 Sun Solaris 7 libc Brian Soby DRAFT INTERIM ACCEPTED The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang). CVE-2002-1265 ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. CVE-2004-0597 ACCEPTED 1 Sun Solaris 8 mozilla Brian Soby DRAFT INTERIM ACCEPTED Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. CVE-2004-0764 ACCEPTED 1 Sun Solaris 7 NIS Brian Soby DRAFT INTERIM ACCEPTED The getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments. CVE-2002-1199 ACCEPTED 1 Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Basic Security Module Brian Soby DRAFT Unknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic). CVE-2004-0654 DRAFT 0 Sun Solaris 8 Kerberos5 Brian Soby DRAFT INTERIM ACCEPTED The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). CVE-2003-0082 ACCEPTED 1 Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberos Sun Solaris 7 Bind Brian Soby DRAFT INTERIM ACCEPTED Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). CVE-2002-1219 ACCEPTED 1 Sun Solaris 7 libpng Brian Soby DRAFT INTERIM ACCEPTED The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference. CVE-2004-0598 ACCEPTED 1 Sun Solaris 8 Sun Solaris 9 Sun Cluster Brian Soby DRAFT INTERIM ACCEPTED Double-free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. CVE-2003-0545 ACCEPTED 1 Sun Solaris 7 kcms_server Brian Soby DRAFT INTERIM ACCEPTED Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. CVE-2003-0027 ACCEPTED 1 Sun Solaris 8 Sun Crypto Accelerator 4000 Brian Soby DRAFT INTERIM ACCEPTED The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. CVE-2004-0079 ACCEPTED 1 Sun Solaris 7 Sun Am7990 Ethernet Driver Brian Soby DRAFT Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. CVE-2003-0001 DRAFT 0 </