The OVAL Repository 5.6 2009-11-20T04:32:23.852-05:00 HP-UX 11 Unspecified vulnerability in libc on HP HP-UX B.11.23 and B.11.31 allows remote attackers to cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED Pai Peng INTERIM INTERIM HP-UX 11 Unspecified vulnerability in Role-Based Access Control (RBAC) in HP HP-UX B.11.23 and B.11.31 allows local users to bypass intended access restrictions via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite for Archive Formats. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 4 parse.c in sudo 1.6.9p17 through 1.6.9p19 does not properly interpret a system group (aka %group) in the sudoers file during authorization decisions for a user who belongs to that group, which allows local users to leverage an applicable sudoers file and gain root privileges via a sudo command. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMware ESX Server 4 The operating system installed on the system is VMware ESX Server 4.0. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 The PNG reference library (aka libpng) before 1.0.43, and 1.2.x before 1.2.35, as used in pngcrush and other applications, allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in (1) the png_read_png function, (2) pCAL chunk handling, or (3) setup of 16-bit gamma tables. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 VMWare ESX Server 4 The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Cross-site request forgery (CSRF) vulnerability in Harmoni before 1.6.0 allows remote attackers to make administrative modifications via a (1) save or (2) delete action to an unspecified component. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Directory traversal vulnerability in VMWare ESXi 3.5 before ESXe350-200810401-O-UG and ESX 3.5 before ESX350-200810201-UG allows administrators with the Datastore.FileManagement privilege to gain privileges via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; and (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in the ACE shared folders implementation in the VMware Host Guest File System (HGFS) shared folders feature in VMware ACE 2.5.1 and earlier allows attackers to enable a disabled shared folder. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 before Update 4, and VMware ESX 3.5 before Update 4 retains the VirtualCenter Server password in process memory, which might allow local users to obtain this password. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 IBM AIX 6.1 nfs.ext in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not properly use the nfs_portmon setting, which allows remote attackers to bypass intended access restrictions for NFSv4 shares via unspecified vectors. Pai Peng DRAFT INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 VMWare ESX Server 4 The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 IBM AIX 6.1 gssd in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not properly handle the NFSv4 Kerberos credential cache, which allows local users to bypass intended access restrictions for Kerberized NFSv4 shares via unspecified vectors. Pai Peng DRAFT INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 The CPU hardware emulation in VMware Workstation 6.0.5 and earlier and 5.5.8 and earlier; Player 2.0.x through 2.0.5 and 1.0.x through 1.0.8; ACE 2.0.x through 2.0.5 and earlier, and 1.0.x through 1.0.7; Server 1.0.x through 1.0.7; ESX 2.5.4 through 3.5; and ESXi 3.5, when running 32-bit and 64-bit guest operating systems, does not properly handle the Trap flag, which allows authenticated guest OS users to gain privileges on the guest OS. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 libpng 1.0.6 through 1.0.32, 1.2.0 through 1.2.26, and 1.4.0beta01 through 1.4.0beta19 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CVE-435. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in VMware Workstation 5.5.8 and earlier, and 6.0.5 and earlier 6.x versions; VMware Player 1.0.8 and earlier, and 2.0.5 and earlier 2.x versions; VMware Server 1.0.9 and earlier; VMware ESXi 3.5; and VMware ESX 3.0.2 through 3.5 allows guest OS users to have an unknown impact by sending the virtual hardware a request that triggers an arbitrary physical-memory write operation, leading to memory corruption. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Vim 7.1.314, 6.4, and other versions allows user-assisted remote attackers to execute arbitrary commands via Vim scripts that do not properly sanitize inputs before invoking the execute or system functions, as demonstrated using (1) filetype.vim, (3) xpm.vim, (4) gzip_vim, and (5) netrw. NOTE: the originally reported version was 7.1.314, but the researcher actually found this set of issues in 7.1.298. NOTE: the zipplugin issue (originally vector 2 in this identifier) has been subsumed by CVE-2008-3075. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in the VMware Descheduled Time Accounting driver in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745, VMware Fusion 2.x before 2.0.2 build 147997, VMware ESXi 3.5, and VMware ESX 3.0.2, 3.0.3, and 3.5, when the Descheduled Time Accounting Service is not running, allows guest OS users on Windows to cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 4 The redirect implementation in curl and libcurl 5.11 through 7.19.3, when CURLOPT_FOLLOWLOCATION is enabled, accepts arbitrary Location values, which might allow remote HTTP servers to (1) trigger arbitrary requests to intranet servers, (2) read or overwrite arbitrary files via a redirect to a file: URL, or (3) execute arbitrary commands via a redirect to an scp: URL. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMware ESX Server 4 The operating system installed on the system is VMware ESX Server 4.0. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in the virtual machine display function in VMware Workstation 6.5.1 and earlier; VMware Player 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 1.x before 1.0.9 build 156507 and 2.x before 2.0.1 build 156745; VMware Fusion before 2.0.4 build 159196; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to execute arbitrary code on the host OS via unknown vectors, a different vulnerability than CVE-2008-4916. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 4 udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMware ESX Server 4 The operating system installed on the system is VMware ESX Server 4.0. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in VMware ESXi 3.5 before ESXe350-200901401-I-SG and ESX 3.5 before ESX350-200901401-SG allows local administrators to cause a denial of service (host crash) via a snapshot with a malformed VMDK delta disk. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Vim 3.0 through 7.x before 7.2.010 does not properly escape characters, which allows user-assisted attackers to (1) execute arbitrary shell commands by entering a K keystroke on a line that contains a ";" (semicolon) followed by a command, or execute arbitrary Ex commands by entering an argument after a (2) "Ctrl-]" (control close-square-bracket) or (3) "g]" (g close-square-bracket) keystroke sequence, a different issue than CVE-2008-2712. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CVE-436. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 BIND 9.6.0, 9.5.1, 9.5.0, 9.4.3, and earlier does not properly check the return value from the OpenSSL DSA_verify function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature, a similar vulnerability to CVE-2008-5077. Michael Wood DRAFT Michael Wood INTERIM INTERIM VMWare ESX Server 3 VMWare ESX Server 3.5 Multiple buffer underflows in the (1) LZWDecode, (2) LZWDecodeCompat, and (3) LZWDecodeVector functions in tif_lzw.c in the LZW decoder in LibTIFF 3.8.2 and earlier allow context-dependent attackers to execute arbitrary code via a crafted TIFF file, related to improper handling of the CODE_CLEAR code. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 VMWare ESX Server 4 The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMware ESX Server 4 The operating system installed on the system is VMware ESX Server 4.0. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 3.5 Unspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED VMware ESX Server 3.5 The operating system installed on the system is VMware ESX Server 3.5.0. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in bootpd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause a denial of service via unknown attack vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the pollwakeup function in Sun Solaris 10, and OpenSolaris before snv_51, allows local users to cause a denial of service (panic) via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 in.lpd in the print service in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors that trigger a "fork()/exec() bomb." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The kernel in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_103, does not properly handle interaction between the filesystem and virtual-memory implementations, which allows local users to cause a denial of service (deadlock and system halt) via vectors involving mmap and write operations on the same file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 6.1 Untrusted search path vulnerability in chnfsmnt in IBM AIX 6.1 allows local users to gain privileges via a modified PATH environment variable. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The (1) sendfile and (2) sendfilev functions in Sun Solaris 8 through 10, and OpenSolaris before snv_110, allow local users to cause a denial of service (panic) via vectors related to vnode function calls. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the UFS module in Sun Solaris 8 through 10 and OpenSolaris allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via unknown vectors related to the Solaris Access Control List (ACL) implementation. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Use-after-free vulnerability in the frpr_icmp function in the ipfilter (aka IP Filter) subsystem in Sun Solaris 10, and OpenSolaris snv_45 through snv_110, allows remote attackers to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the SCTP implementation in Sun Solaris 10, and OpenSolaris before snv_120, allows remote attackers to cause a denial of service (panic) via unspecified packets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the crypto_recv function in ntp_crypto.c in ntpd in NTP before 4.2.4p7 and 4.2.5 before 4.2.5p74, when OpenSSL and autokey are enabled, allows remote attackers to execute arbitrary code via a crafted packet containing an extension field. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.31 allows local users to cause a denial of service (system crash) via unknown vectors related to the ttrace system call. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 6.1 The WPAR system call implementation in the kernel in IBM AIX 6.1 allows local users to cause a denial of service via unknown calls that trigger "undefined behavior." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Race condition in the Solaris Auditing subsystem in Sun Solaris 9 and 10 and OpenSolaris before snv_121, when extended file attributes are used, allows local users to cause a denial of service (panic) via vectors related to "pathnames for invalid fds." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 IBM AIX 6.1 Multiple unspecified vulnerabilities in IBM AIX 5.2.0 through 6.1.2 allow local users to append data to arbitrary files, related to (1) rmsock and (2) rmsock64 not creating "secure log files." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 XScreenSaver in Sun Solaris 9 and 10, OpenSolaris before snv_120, and X11 6.4.1 for Solaris 8, when the Xorg or Xnewt server is used, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, a different vulnerability than CVE-2009-1276. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the NFSv4 module in the kernel in Sun Solaris 10, and OpenSolaris snv_102 through snv_119, allows local users to cause a denial of service (client panic) via vectors involving "file operations." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute arbitrary code via a crafted response. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 IBM AIX 6.1 Stack-based buffer overflow in muxatmd in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via a long filename. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 IBM AIX 6.1 Buffer overflow in autoconf6 in IBM AIX 6.1.0 through 6.1.2, when Role-Based Access Control is enabled, allows local users with aix.network.config.tcpip authorization to gain privileges via unspecified vectors. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 The operating system installed on the system is IBM AIX version 5300-00 through 5300-06. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 IBM AIX 6.1 at in bos.rte.cron on IBM AIX 5.2.0, 5.3.0 through 5.3.9, and 6.1.0 through 6.1.2 allows local users to read arbitrary files via unspecified vectors, related to failure to drop root privileges. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 6.1 crontab in bos.rte.cron in IBM AIX 6.1.0 through 6.1.2 allows local users with aix.system.config.cron authorization to gain privileges by launching an editor. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 IBM AIX 5.2 Buffer overflow in the drmgr command in IBM AIX 5.2 and 5.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long path name. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 IBM AIX 6.1 The malloc subsystem in libc in IBM AIX 5.3 and 6.1 allows local users to create or overwrite arbitrary files via a symlink attack on the log file associated with the MALLOCDEBUG environment variable. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 The operating system installed on the system is IBM AIX version 5300-00. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 The operating system installed on the system is IBM AIX version 5300-01 through 5300-06. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 IBM AIX 6.1 Buffer overflow in the pioout program in printers.rte in IBM AIX 5.2, 5.3, and 6.1 allows local users to gain privileges via a long command line option. Michael Wood DRAFT INTERIM ACCEPTED Aharon Chernin INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 The operating system installed on the system is IBM AIX version 5300-09. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.3 The operating system installed on the system is IBM AIX version 5300-00 through 5300-05. Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 6.1 The operating system installed on the system is IBM AIX version 6100-01. Aharon Chernin DRAFT Aharon Chernin INTERIM ACCEPTED ACCEPTED IBM AIX 6.1 The operating system installed on the system is IBM AIX version 6100-02. Aharon Chernin DRAFT Aharon Chernin INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in rpc.nisd in Sun Solaris 8 through 10, and OpenSolaris before snv_104, allows remote authenticated users to cause a denial of service (NIS+ daemon hang) via unspecified vectors related to NIS+ callbacks. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple race conditions in the Solaris Event Port API in Sun Solaris 10 and OpenSolaris before snv_107 allow local users to cause a denial of service (panic) via unspecified vectors related to a race between the port_dissociate and close functions. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Format string vulnerability in libwebconsole_services.so in Sun Java Web Console 2.2.2 through 2.2.5 allows remote attackers to cause a denial of service (application crash), obtain sensitive information, and possibly execute arbitrary code via unspecified vectors during a failed login attempt, related to syslog. Pai Peng DRAFT INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. Robert L. Hollis DRAFT INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 gzip Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Internet Protocol (IP) functionality in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors, probably related to a UDP packet. Pai Peng DRAFT INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 gzip Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Enterprise Storage Manager (ESM) Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) 2.1 for Solaris 8 and Solaris 9 allows local users with the "ESMUser" role to gain root access. Brian Soby DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Heap-based buffer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request, related to improper decoding of request parameters. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Stack-based buffer overflow in the adm_build_path function in sadmind in Sun Solstice AdminSuite on Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted request. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Integer overflow in sadmind in Sun Solaris 8 and 9 allows remote attackers to execute arbitrary code via a crafted RPC request that triggers a heap-based buffer overflow, related to improper memory allocation. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 The kernel in Sun Solaris 9 allows local users to cause a denial of service (panic) by calling fstat with a first argument of AT_FDCWD. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in useradd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to access arbitrary files and directories via unknown vectors, a different issue than CVE-2008-1660. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 rpc.metad in Sun Solaris 10 allows remote attackers to cause a denial of service (daemon crash) via a malformed RPC request. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. Matt Busby Matt Busby INTERIM ACCEPTED ACCEPTED Sun Solaris 8 kcms_configure kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. David Proulx ACCEPTED Sun Solaris 8 xlock Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. David Proulx ACCEPTED Sun Solaris 8 snmpdx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Sun Solaris 8 Xsun Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. David Proulx ACCEPTED Sun Solaris 7 Xsun Buffer overflow in Xsun on Solaris 2.6 through 8 allows local users to gain root privileges via a long -co (color database) command line argument. David Proulx ACCEPTED Sun Solaris 8 rpc.yppasswdd Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. David Proulx ACCEPTED Sun Solaris 7 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Sun Solaris 7 kcms_configure kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. David Proulx ACCEPTED Sun Solaris 8 lbxproxy Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. David Proulx ACCEPTED Sun Solaris 8 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Sun Solaris 7 rpc.yppasswdd Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. David Proulx ACCEPTED Sun Solaris 7 snmpdx Format string vulnerability in the logging component of snmpdx for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Sun Solaris 7 xlock Heap overflow in xlock in Solaris 2.6 through 8 allows local users to gain root privileges via a long (1) XFILESEARCHPATH or (2) XUSERFILESEARCHPATH environmental variable. David Proulx ACCEPTED Sun Solaris 7 lbxproxy Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. David Proulx ACCEPTED Sun Solaris 8 Sun Solaris 9 Apache Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Crypto Accelerator 4000 The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Apache Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 DtMail Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Apache Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Cluster Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Apache mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret. Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Cluster OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Apache mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Apache Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. Brian Soby Brian Soby Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Bind BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Xsun Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 snmpdx Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Samba Buffer overflow in samba 2.2.2 through 2.2.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an encrypted password that causes the overflow during decryption in which a DOS codepage string is converted to a little-endian UCS2 unicode string. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 libpng Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 NIS Buffer overflow in ypbind daemon in Solaris 5.4 through 8 allows remote attackers to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 dtspcd The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Common Desktop Environment Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 pam_krb5 Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files. Brian Soby DRAFT Brian Soby INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Bind BIND 8.x through 8.3.3 allows remote attackers to cause a denial of service (crash) via SIG RR elements with invalid expiry times, which are removed from the internal BIND database and later cause a null dereference. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Kerberos5 The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. Brian Soby DRAFT Brian Soby INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sendmail Buffer overflow in Sendmail before 8.12.5, when configured to use a custom DNS map to query TXT records, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malicious DNS server. Brian Soby DRAFT Brian Soby INTERIM ACCEPTED ACCEPTED Sun Solaris 7 libpng Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 NIS The getdbm procedure in ypxfrd allows local users to read arbitrary files, and remote attackers to read databases outside /var/yp, via a directory traversal and symlink attack on the domain and map arguments. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Bind Buffer overflow in named in BIND 4 versions 4.9.10 and earlier, and 8 versions 8.3.3 and earlier, allows remote attackers to execute arbitrary code via a certain DNS server response containing SIG resource records (RR). Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 libpng The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 OpenSSH A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Common Desktop Environment Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Solaris Runtime Linker Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 priocntl() Directory traversal vulnerability in priocntl system call in Solaris does allows local users to execute arbitrary code via ".." sequences in the pc_clname field of a pcinfo_t structure, which cause priocntl to load a malicious kernel module. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 lpstat, libprint Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Bind Buffer overflow in the DNS resolver code used in libc, glibc, and libbind, as derived from ISC BIND, allows remote malicious DNS servers to cause a denial of service and possibly execute arbitrary code via the stub resolvers. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Common Desktop Environment Buffer overflow in TT_SESSION environment variable in ToolTalk shared library allows local users to gain root privileges. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 lpstat Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla Integer overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mozilla The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Licence Logging Service gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sendmail Buffer overflow in Sendmail 5.79 to 8.12.7 allows remote attackers to execute arbitrary code via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr function of headers.c. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 libc The Sun RPC functionality in multiple libc implementations does not provide a time-out mechanism when reading data from TCP connections, which allows remote attackers to cause a denial of service (hang). Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Buffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Basic Security Module The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 sendfilev() Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Bind Unknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash). Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Solaris Enterprise Authentication Mechanism (SEAM) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Brian Soby DRAFT Brian Soby INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Kerberos5 The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers Solaris kerberos Sun Solaris 7 Solaris Enterprise Authentication Mechanism (SEAM) The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Vulnerability exists in standard Solaris kerberos and SEAM. This definition only covers SEAM Sun Solaris 7 Sun RPC Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Specific applications using this library are not tested for because Suns advisory only provides a sample of known vulnerable applications and states that they are still investigating. Sun Solaris 7 Sun Solaris 8 Bourne Shell (sh) Bourne Again Shell (bash) TENEX C Shell (tcsh) C Shell (csh) Korn Shell (ksh) Multiple shell programs on various Unix systems, including (1) tcsh, (2) csh, (3) sh, and (4) bash, follow symlinks when processing << redirects (aka here-documents or in-here documents), which allows local users to overwrite files of other users via a symlink attack. Brian Soby DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM Matthew Wojcik ACCEPTED ACCEPTED Sun Solaris 7 login Buffer overflow in login in various System V based operating systems allows remote attackers to execute arbitrary commands via a large number of arguments through services such as telnet and rlogin. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Enterprise Authentication Mechanism (SEAM) MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 LDAP Unspecified vulnerability in Solaris 8 and 9 allows local users to obtain the LDAP Directory Server root Distinguished Name (rootDN) password when a privileged user (1) runs idsconfig; or "insecurely" runs LDAP2 commands with the -w option, including (2) ldapadd, (3) ldapdelete, (4) ldapmodify, (5) ldapmodrdn, and (6) ldapsearch. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Operating System Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Operating System Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Operating System X.Org server (xorg-server) 1.0.0 and later, X11R6.9.0, and X11R7.0 inadvertently treats the address of the geteuid function as if it is the return value of a call to geteuid, which allows local users to bypass intended restrictions and (1) execute arbitrary code via the -modulepath command line option or (2) overwrite arbitrary files via -logfile. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Perl Integer overflow in the format string functionality (Perl_sv_vcatpvfn) in Perl 5.9.2 and 5.8.6 Perl allows attackers to overwrite arbitrary memory and possibly execute arbitrary code via format string specifiers with large values, which causes an integer wrap and leads to a buffer overflow, as demonstrated using format string vulnerabilities in Perl applications. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Unspecified vulnerability in the hsfs filesystem in Solaris 8, 9, and 10 allows unspecified attackers to cause a denial of service (panic) or execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 X Unspecified vulnerability in in.rexecd in Solaris 10 allows local users to gain privileges on Kerberos systems via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Operating System Unspecified vulnerability in Sun Solaris 10 allows local users to cause a denial of service (null dereference) via unspecified vectors involving the use of the find command on the "/proc" filesystem. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2005-3250. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Operating System Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Operating System Unspecified vulnerability in uucp in Sun Solaris 8 and 9 has unknown impact and attack vectors. NOTE: due to the vagueness of the vendor advisory, it is not clear whether this is related to CVE-2004-0780. Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Solaris Management Console The (1) slsmgr and (2) slsadmin programs in Sun Solaris PC NetLink 2.0 create temporary files insecurely, which allows local users to gain privileges. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Solaris Management Console The default configuration of the web server for the Solaris Management Console (SMC) in Solaris 8, 9, and 10 enables the HTTP TRACE method, which could allow remote attackers to obtain sensitive information such as cookies and authentication data from HTTP headers. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 libtiff Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED