The OVAL Repository5.52015-09-03T07:49:40.386-04:00Solaris Xsun and Xprt Unspecified Local Privilege EscalationSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10XsunUnspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDSolaris 7 CDE ToolTalk Database Null Write VulnerabilitySun Solaris 7Common Desktop EnvironmentCDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 7 CDE ToolTalk Database Symbolic Link VulnerabilitySun Solaris 7Common Desktop EnvironmentCDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 7 CDE dtspcd Buffer OverflowSun Solaris 7dtspcdBuffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 Key Distribution Center Remote Denial of Service VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosHeap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDMIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Name Buffer Overrun VulnerabilitiesSun Solaris 9Sun Solaris 8Sun Solaris 7Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDShane ShafferINTERIMACCEPTEDACCEPTEDSolaris 7 admintool Local Buffer OverflowSun Solaris 7AdmintoolBuffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSolaris 7 kcms_configure Command-Line Buffer OverflowSun Solaris 7kcms_configurekcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.David ProulxACCEPTEDSolaris 7 mibiisa Remote Buffer Overflow VulnerabilitySun Solaris 7mibiisaBuffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDrwho daemon Code Execution VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceUnknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDXsun Buffer Overflow via HOME EnvvarSun Solaris 7XsunBuffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCDE libDtHelp Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9Common Desktop EnvironmentBuffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME.Brian SobyDRAFTINTERIMACCEPTEDChristine WalzerINTERIMACCEPTEDACCEPTEDSolaris 7 AdminTool Media Installation Path Buffer OverflowSun Solaris 7AdmintoolBuffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path.David ProulxMatthew WojcikMatthew WojcikMatthew WojcikINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSunRPC xdr_array Function Integer OverflowSun Solaris 7Sun RPCInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDSpecific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating.Solaris Code Execution DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kernelUnknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With Loading Arbitrary Kernel Modules in Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 7Sun Solaris 2.6The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDKerberos 5 KDC Buffer Underrun in Principle Name HandlingSun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun").Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDVulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAMlpq Buffer Overflow in bsd_queue()Sun Solaris 7lpstatStack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDToolTalk Buffer Overflow via TT_SESSION EnvvarSun Solaris 7Common Desktop EnvironmentBuffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDcachefsd DoS via Invalid RPC RequestSun Solaris 7Sun Solaris 8Sun Solaris 9cachefsdcachefsd in Solaris 2.6, 7, and 8 allows remote attackers to cause a denial of service (crash) via an invalid procedure call in an RPC request.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 7 cachefsd Buffer Overrun VulnerabilitySun Solaris 7cachefsdBuffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument.David ProulxBrian SobyINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 7 RPC xdr_array Buffer OverflowSun Solaris 7libnslInteger overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd.David ProulxMatthew WojcikINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDBuffer Overflow in DNS Resolver LibrarySun Solaris 7BindBuffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 RWall Daemon Syslog Format String VulnerabilitySun Solaris 7rpc.rwalldFormat string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDMultiple Vulnerabilities in lpstat and libprintSun Solaris 7lpstatlibprintUnknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDJerome AthiasINTERIMACCEPTEDACCEPTEDShell Redirect Symlink Attack VulnerabilitySun Solaris 7Sun Solaris 8Bourne Shell (sh)Bourne Again Shell (bash)TENEX C Shell (tcsh)C Shell (csh)Korn Shell (ksh)Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMMatthew WojcikACCEPTEDACCEPTEDMIT Kerberos 5 Key Distribution Center Remote Denial of Service VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10KerberosMIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.Robert L. HollisDRAFTINTERIMACCEPTEDNabil OuchnINTERIMACCEPTEDACCEPTEDBuffer Overflow in ntp Daemon via readvarSun Solaris 7Sun Solaris 8sendfilev()Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDpriocntl Directory Traversal VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9priocntl()Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Ruleset Parsing Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailA "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.Brian SobyDRAFTINTERIMRuntime linker, ld.so.1 LD_PRELOAD Envvar Buffer OverflowSun Solaris 7Solaris Runtime LinkerStack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in Solaris ping DaemonSun Solaris 7Sun Solaris 8Sun Solaris 9Licence Logging ServiceBuffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 whodo Buffer Overflow VulnerabilitySun Solaris 7whodoBuffer overflow in whodo in Solaris SunOS 5.5.1 through 5.8 allows local users to execute arbitrary code via a long (1) SOR or (2) CFIME environment variable.David ProulxMatthew WojcikINTERIMMatthew WojcikMatthew WojcikMatthew WojcikACCEPTEDACCEPTEDSun Solaris 7 XSun Color Database File Heap OverflowSun Solaris 7XsunBuffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument.David ProulxACCEPTEDCDE AddSuLog Function Buffer OverflowSun Solaris 7Common Desktop EnvironmentBuffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail prescan function Buffer OverflowSun Solaris 7SendmailThe prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDData Leak in NICSun Solaris 7Sun Am7990 Ethernet DriverMultiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak.Brian SobyDRAFTMatthew WojcikINTERIMKCMS KCS_OPEN_PROFILE File Disclosure VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.Brian SobyDRAFTINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDDragos PrisacaINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDDoS Vulnerability in libpng function png_handle_iCCP()Sun Solaris 7libpngThe png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBIND SIG Resource Records Buffer OverflowSun Solaris 7BindBuffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBSM Audit Kernel PanicSun Solaris 7Sun Solaris 8Sun Solaris 9Basic Security ModuleUnknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).Brian SobyDRAFTSudhir GandheINTERIMypxfrd File Disclosure VulnerabilitySun Solaris 7NISThe getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in libpngSun Solaris 7libpngMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSun RPC No Timeout Denial of Service on TCP PortsSun Solaris 7libcThe Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang).Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSendmail Address Processor Buffer OverflowSun Solaris 7Sun Solaris 8Sun Solaris 9SendmailBuffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBIND DoS via SIG RR ElementsSun Solaris 7BindBIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSystem V login Buffer OverflowSun Solaris 7loginBuffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDISC BIND Cache Poison Denial Of ServiceSun Solaris 7BindISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value.Brian SobyDRAFTINTERIMACCEPTEDBrian SobyBrian SobyINTERIMACCEPTEDACCEPTEDMultiple Buffer Overflows in Kerberos 5 (krb5_aname_to_localname)Sun Solaris 7Solaris Enterprise Authentication Mechanism (SEAM)Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.Brian SobyDRAFTBrian SobyINTERIMACCEPTEDMatthew WojcikINTERIMACCEPTEDACCEPTEDdtsession Buffer Overflow via HOME EnvvarSun Solaris 7Sun Solaris 8Sun Solaris 9Common Desktop EnvironmentHeap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDCDE dtspcd Daemon Symlink VulnerabilitySun Solaris 7dtspcdThe CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDypbind Daemon Buffer OverflowSun Solaris 7NISBuffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDBuffer Overflow in "in.telnetd"or "telnetd"ProcessSun Solaris 7Sun Solaris 8Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 LBXProxy Display Name Buffer OverflowSun Solaris 7lbxproxyBuffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option.David ProulxACCEPTEDSolaris 7 CDE ToolTalk Database Heap Corruption VulnerabilitySun Solaris 7Common Desktop EnvironmentBuffer overflow in Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) allows remote attackers to execute arbitrary code via an argument to the _TT_CREATE_FILE procedure.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTED/usr/lib/print/conv_fix Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.Brian SobyDRAFTINTERIMACCEPTEDINTERIMDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 X Font Server Remote Buffer OverrunSun Solaris 7fs.auto, xfsBuffer overflow in Dispatch() routine for XFS font server (fs.auto) on Solaris 2.5.1 through 9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a certain XFS query.David ProulxTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDInteger Overflow in libpng via Malformed PNG ImageSun Solaris 7libpngMultiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris CDE DTLogin XDMCP Parser Remote Double Free VulnerabilitySun Solaris 7Common Desktop EnvironmentDouble free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMJonathan BakerACCEPTEDACCEPTEDPC Netlink 2.0 Privilege Escalation VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Management ConsoleThe (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDSecurity Vulnerability With Loading Arbitrary Kernel Modules in Solaris KernelSun Solaris 8Sun Solaris 9Sun Solaris 7Sun Solaris 2.6Directory traversal vulnerability in the vfs_getvfssw function in Solaris 2.6, 7, 8, and 9 allows local users to load arbitrary kernel modules via crafted (1) mount or (2) sysfs system calls. NOTE: this might be the same issue as CVE-2004-1767, but there are insufficient details to be sure.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 (SPARC) is installedSun Solaris 7The operating system installed on the system is Sun Solaris 7 for SPARC.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 (x86) is installedSun Solaris 8The operating system installed on the system is Sun Solaris 8 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 (x86) is installedSun Solaris 7The operating system installed on the system is Sun Solaris 7 for x86.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDSolaris 2.6 (x86) is installedSun Solaris 2.6The operating system installed on the system is Sun Solaris 2.6 for x86.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 (x86) is installedSun Solaris 9The operating system installed on the system is Sun Solaris 9 for x86.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 8 (SPARC) is installedSun Solaris 8The operating system installed on the system is Sun Solaris 8 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 9 (SPARC) is installedSun Solaris 9The operating system installed on the system is Sun Solaris 9 for SPARC.Jonathan BakerDRAFTINTERIMACCEPTEDACCEPTEDSolaris 2.6 (SPARC) is installedSun Solaris 2.6The operating system installed on the system is Sun Solaris 2.6 for SPARC.Nicholas HansenDRAFTINTERIMACCEPTEDACCEPTEDHeap Overflow in Solaris 7 xlockSun Solaris 7xlockHeap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable.David ProulxACCEPTEDSolaris SAdmin Client Credentials Remote Administrative Access VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9SadminThe default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets.Brian SobyBrian SobyDRAFTINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDTodd DolinskyINTERIMTodd DolinskyACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 7 cachefsd Heap Overflow VulnerabilitySun Solaris 7cachefsdHeap-based buffer overflow in cfsd_calloc function of Solaris cachefsd allows remote attackers to execute arbitrary code via a request with a long directory and cache name.David ProulxBrian SobyINTERIMACCEPTEDTodd DolinskyINTERIMACCEPTEDJonathan BakerINTERIMACCEPTEDACCEPTEDSolaris 7 KCMS Arbitrary File Access VulnerabilitySun Solaris 7kcms_serverDirectory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure.David ProulxTodd DolinskyINTERIMACCEPTEDDragos PrisacaDEPRECATEDJonathan BakerDEPRECATEDString Format Vulnerability in Solaris 7 snmpdxSun Solaris 7snmpdxFormat string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges.David ProulxACCEPTEDBuffer Overflows in uucpSun Solaris 7Sun Solaris 8Sun Solaris 9uucpMultiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.Brian SobyDRAFTINTERIMACCEPTEDMatthew WojcikINTERIMINTERIMACCEPTEDACCEPTEDKerberos V5 Null Pointer DoS VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Solaris Enterprise Authentication Mechanism (SEAM)MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSNMP Trap Handling VulnerabilitySun Solaris 7Sun Solaris 8snmpdxVulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.Brian SobyDRAFTINTERIMACCEPTEDACCEPTEDSolaris 7 rpc.yppasswdd Buffer Overrun VulnerabilitySun Solaris 7rpc.yppasswddBuffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username.David ProulxACCEPTEDlibtiff Directory Entry Count Integer Overflow VulnerabilitySun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffInteger overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff Malloc Error Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff tif_dirread divide-by-zero Denial of ServiceSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffVulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDlibtiff RLE Decoder Buffer Overflow VulnerabilitiesSun Solaris 7Sun Solaris 8Sun Solaris 9Sun Solaris 10libtiffMultiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.Robert L. HollisDRAFTINTERIMACCEPTEDACCEPTEDX Display Manager DoS via Invalid XDMCP RequestSun Solaris 7Sun Solaris 8Sun Solaris 9XDMX Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.Robert L. HollisChristine WalzerDRAFTINTERIMACCEPTEDACCEPTEDegrep "^[Srecipient=2|S2]|^[^#]*\$>2|^[^#]*\$>recipient|^[^#]*\$>4|^[^#]*\$>final" /etc/mail/sendmail.cf True if any lines returnedgrep c2audit /etc/system True if "set c2audit:audit_load = 1" or similiaregrep ^flags:.*a[sd] /etc/security/audit_control True if any lines returnedPackage which contains /usr/lib/netsvc/yp/ypxfrdCVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265CVE-2002-1265SUNWcsu = 32bit, SUNWcsxu = 64bitRough translation of the Sun recommended test of: % grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___ default_realm = EXAMPLE.COM112785
119059
/usr/openwin/binXprt119060
112786
108652
108653
/usr/openwin/binXsun.*dtspc/usr/dt/bindtspcd106934
SUNWkrgdoSUNWkr5sv/etc/krb5krb5.conf[^(#|_)]*default_realm[^_]*SUNWkrgglSUNWkr5sl108721
/usr/openwin/binkcms_configure/usr/lib/snmpmibiisa^.*mibiisa.*SUNWrcmds118239
116984
117455
/usr/sbin/in.rwhod108652
SUNWxwpltSUNWdthep107178
108949
116308
^(/usr)?/bin$admintool108827
108901
108451
113319
11233
110057
110060
116462
114008
110896
/usr/lib/dmidmispd.*100068/2-5/usr/dt/binrpc.cmsd^.*dmispd.*108541
/etcnsswitch.conf^[^#]*hosts:.*dns112899
.*walld/1/usr/lib/netsvc/rwallrpc.rwalldSUNWpcrSUNWpcuSUNWpsrSUNWpsu108574
108162
108416
110943
110898
109324
112238
SUNWCryr112390
115168
112237
120469
112240
112537
120470
112908
112536
SUNWCrySUNWntpu109409
109667
/usr/lib/inet/xntpd108528
112233
SUNWsndmr106950
109147
112963
SUNWbip118313
116986
116774
111600
^/usr/sbin/sparcv.$whodo/usr/openwin/binXsunSUNWdtba[sx]108219
112604
112609
115172
/etchostname6?\.le.*SUNWkcsr[tx]114636
107337
111400
109007
114332
SUNWypu109328
113579
^.*ypxfrd.*108748
108752
106541
106942
107477
108551
108754
108756
108758
108760
108762
108764
.*rpcbind.*SUNWsndmu107684
110615
113575
.*sendmail .*SUNWinamd112300
112085
106938
109326
112970
SUNWcsx?u/usr/sbin/in.named/etc/krb5krb5.conf/etc/krb5krb5.conf^[^#]auth_to_local.*107702
109354
114497
SUNWdtdmn108221
SUNWnisu108750
110322
^.*ypbind.*107475
110061
107476
110669
110057
110668
110060
110058
/usr/openwin/binlbxproxy107654
.*100083/1/usr/dt/binrpc.ttdbserverd107893
SUNWpcu107115
109320
113329
/usr/openwin/libfs.auto.*fs/usr/openwin/binxfs108117
SUNWnsb/usr/dt/bindtlogin^.*dtlogin.*108919
112807
107180
SUNWlzas121332
108529
108528
106541
112234
112233
105181
106542
105182
/usr/openwin/binxlock108376
SUNWadmfw.*100232/10116457
116442
116454
.*100232/10.*100235/1/usr/lib/fs/cachefscachefsd108800
^.*inetd.*.*100221/1/usr/openwin/binkcms_server/usr/lib/snmpsnmpdxSUNWbnuu106952
111570
113322
SUNWkr5svSUNWkr5slSUNWkrgdoSUNWkrggl112536
112908
112237
112390
/etc/krb5krb5.conf^[^#_]*default_realm[^=]*=[^_]*$^.*snmpdx.*SUNWsasnm107709
108869
/usr/lib/netsvcrpc.yppasswdd^.*rpc\.yppasswdd.*111590
SUNWdtwm118953
118954
109931
109932
114219
SUNWTiffSUNWTiffx114220
119900
119901
111844
111845
112785
112786
5005truetrue05399382true19/usr/dt/bin/dtspcdtruetruetrue405101505090508112truetruetrue20101012530030801truetrue3060601022519050407040112050102/usr/dt/bin/rpc.cmsdtruetruetrue2260609021/usr/lib/netsvc/rwall/rpc.rwalldtruetruetrue130702030402010203125.101108130110060120060404180411111407090102031truetruetruetrue380110100502020101030233181224030101010114090303010101010101080803071003010208130616051109121901010201031004truetrue10/usr/dt/bin/rpc.ttdbserverdtruetruetrue20140905/usr/openwin/lib/fs.autotruetruetrue6210931015.7^i.*865.85.95.6[Ss][Pp][Aa][Rr][Cc]27112937truetrue30/usr/sbin/sadmind020101/usr/sbin/sadmind/usr/lib/fs/cachefs/cachefsdtruetruetrue020/usr/openwin/bin/kcms_servertruetruetrue1904030202040707181525.1002021010111101015.85.95.7sparc^i.*8603033827