A Security Vulnerability in Solaris 10 involving the sendfilev() system call could result in Denial of Service (DoS) due to System Panic

The OVAL Repository 5.4 2008-08-21T09:09:25.459-04:00 A Security Vulnerability in Solaris 10 involving the sendfilev() system call could result in Denial of Service (DoS) due to System Panic Sun Solaris 10 Unspecified vulnerability in Sun Solaris 10 and OpenSolaris before snv_96 allows (1) context-dependent attackers to cause a denial of service (panic) via vectors involving creation of a crafted file and use of the sendfilev system call, as demonstrated by a file served by an Apache 2.2.x web server with EnableSendFile configured; and (2) local users to cause a denial of service (panic) via a call to sendfilev or sendfile. Pai Peng DRAFT DRAFT Security Vulnerability in Solaris snoop(1M) when Displaying SMB Traffic Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allows remote attackers to execute arbitrary code via a crafted SMB packet, a different vulnerability than CVE-2008-0965. Pai Peng DRAFT DRAFT Security Vulnerabilities in the Solaris Priority Inherited pthread mutex API May Result in a Denial of Service (DoS) Condition Sun Solaris 10 Unspecified vulnerability in the pthread_mutex_reltimedlock_np API in Sun Solaris 10 and OpenSolaris before snv_90 allows local users to cause a denial of service (system hang or panic) via unknown vectors. Pai Peng DRAFT DRAFT Security Vulnerability in Solaris snoop(1M) when Displaying SMB Traffic Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allows remote attackers to execute arbitrary code via a crafted SMB packet, a different vulnerability than CVE-2008-0964. Pai Peng DRAFT DRAFT A Security Vulnerability in the namefs Kernel module may result in Arbitrary Code Execution or a Denial of Service (DoS) Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 through 10 allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors. Nicholas Hansen DRAFT DRAFT Vulnerability in the Solaris 10 Event Port Implementation May Lead to a System Panic, Resulting in a Denial of Service (DoS) Sun Solaris 10 Unspecified vulnerability in the event port implementation in Sun Solaris 10 allows local users to cause a denial of service (panic) by submitting and retrieving user-defined events, probably related to a NULL dereference. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in IP Multicast Filter processing of Sockets may lead to a system panic or possible execution of Arbitrary Code Sun Solaris 10 Integer signedness error in the ip_set_srcfilter function in the IP Multicast Filter in uts/common/inet/ip/ip_multi.c in the kernel in Sun Solaris 10 and OpenSolaris before snv_92 allows local users to execute arbitrary code in other Solaris Zones via an SIOCSIPMSFILTER IOCTL request with a large value of the imsf->imsf_numsrc field, which triggers an out-of-bounds write of kernel memory. NOTE: this was reported as an integer overflow, but the root cause involves the bypass of a signed comparison. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Solaris crontab(1) utility may allow execution of Arbitrary Code Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and OpenSolaris before snv_93, allows local users to insert cron jobs into the crontab files of arbitrary users via unspecified vectors. Nicholas Hansen DRAFT INTERIM Dragos Prisaca ACCEPTED ACCEPTED Security Vulnerability in the Solaris 10 STREAMS Administrative Driver ("sad") May Allow a Denial of Service (System panic) Sun Solaris 10 Race condition in the STREAMS Administrative Driver (sad) in Sun Solaris 10 allows local users to cause a denial of service (panic) via unknown vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerabilities in Solaris Print Service May Lead to Denial of Service (DoS) or Execution of Arbitrary Code Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in Solaris print service for Sun Solaris 8, 9, and 10 allow remote attackers to cause a denial of service or execute arbitrary code via unknown vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in Solaris 10 Involving the SCTP Protocol May Result in a Denial of Network Services Due to Network Flooding Sun Solaris 10 Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (CPU consumption and network traffic amplification) via a crafted SCTP packet. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in Solaris 10 Involving the SCTP Protocol May Result in a Panic and Denial of Service (DoS) Sun Solaris 10 Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (panic) via a crafted SCTP packet. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in Floating Point Context Switch Implementation May Result in a Denial of Service (DoS) or Data Integrity Issues Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the floating point context switch implementation in Sun Solaris 9 and 10 on x86 platforms might allow local users to cause a denial of service (application exit), corrupt data, or trigger incorrect calculations via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in the Handling of Self Encapsulated IP Packets may Lead to a Denial of Service (DOS) Condition. Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Sun Solaris 8, 9, and 10 allows "remote privileged" users to cause a denial of service (panic) via unknown vectors related to self encapsulated IP packets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in inetd(1M) Daemon When Debug Logging is Enabled Sun Solaris 10 inetd on Sun Solaris 10, when debug logging is enabled, allows local users to write to arbitrary files via a symlink attack on the /var/tmp/inetd.log temporary file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in Solaris 10 libexif May Allow Code Execution or a Denial of Service (DoS) Condition Sun Solaris 10 Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exif_data_load_data_thumbnail function in exif-data.c. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Multiple Security Vulnerabilities in ICU 3.2 Library Regular Expression Processing May Cause a Denial of Service (DoS) Sun Solaris 9 Sun Solaris 10 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Multiple Security Vulnerabilities in ICU 3.2 Library Regular Expression Processing May Cause a Denial of Service (DoS) Sun Solaris 9 Sun Solaris 10 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability May Allow Firewall Compromise or Creation of Denial of Service (DoS) Condition Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the Internet Protocol (IP) implementation in Sun Solaris 8, 9, and 10 allows remote attackers to bypass intended firewall policies or cause a denial of service (panic) via unknown vectors, possibly related to ICMP packets and IP fragment reassembly. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Two Security Vulnerabilities Exist Within the cpc(3CPC) Sub-System of the Solaris Kernel Sun Solaris 10 Multiple race conditions in the CPU Performance Counters (cpc) subsystem in the kernel in Sun Solaris 10 allow local users to cause a denial of service (panic) via unspecified vectors related to kcpc_unbind and kcpc_restore. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Solaris 10 DTrace Dynamic Tracing Framework May Allow Unauthorized Kernel Level Tracing Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) in Sun Solaris 10 allows local users with PRIV_DTRACE_USER or PRIV_DTRACE_PROC privileges to obtain sensitive kernel information via unspecified vectors, a different vulnerability than CVE-2007-4126. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the libxml2 Library May Lead to a Denial of Service (DoS) Sun Solaris 9 Sun Solaris 10 The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in Solaris 10 OpenSSL SSL_get_shared_ciphers() Function Sun Solaris 10 Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Solaris X Server May Lead to Unauthorized Disclosure of Information on Access Restricted Files and Directories Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in the USB Mouse STREAMS Module May Lead to a System Panic Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the USB Mouse STREAMS module (usbms) in Sun Solaris 9 and 10, when 64-bit mode is enabled, allows local users to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in Simplified Chinese, Traditional Chinese, Korean, and Thai Language Input Methods Sun Solaris 10 The (1) Simplified Chinese, (2) Traditional Chinese, (3) Korean, and (4) Thai language input methods in Sun Solaris 10 create files and directories with weak permissions under (a) .iiim/le and (b) .Xlocale in home directories, which might allow local users to write to, or read from, the home directories of other users. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in FreeType 2 Font Engine May Allow Privilege Escalation Due to Heap Overflow Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in Solaris 10 Related to the dotoprocs() Routine Sun Solaris 10 Unspecified vulnerability in the dotoprocs function in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in libdevinfo(3LIB) May Allow Unauthorized Access to Files on the System Sun Solaris 10 Unspecified vulnerability in libdevinfo in Sun Solaris 10 allows local users to access files and gain privileges via unknown vectors, related to login device permissions. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerabilities in OpenSSL May Lead to a Denial of Service (DoS) to Applications or Execution of Arbitrary Code With Elevated Privileges Sun Solaris 10 The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerabilities in OpenSSL May Lead to a Denial of Service (DoS) to Applications or Execution of Arbitrary Code With Elevated Privileges Sun Solaris 10 Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in Solaris Volume Manager (SVM) May Allow a Denial of Service (DoS) Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the ioctl interface in the Solaris Volume Manager (SVM) in Sun Solaris 9 and 10 allows local users to cause a denial of service (panic) via unspecified vectors, a different vulnerability than CVE-2004-1346. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Solaris 10 Internet Protocol (ip(7P)) may Lead to a Denial of Service (DoS) Condition Sun Solaris 10 Unspecified vulnerability in the Internet Protocol (IP) functionality in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors, probably related to a UDP packet. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in RPCSEC_GSS (rpcsec_gss(3NSL)) Affects Kerberos Administration Daemon (kadmind(1M)) Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerabilities in Solaris Kernel Statistics Retrieval Process May Allow a Denial of Service (DoS) Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Solaris Auditing (BSM) Related to Network Auditing May Lead to Denial of Service (DoS) Sun Solaris 10 Unspecified vulnerability in "Solaris Auditing" in the Basic Security Module (BSM) in Sun Solaris 10, when configured for auditing of networking (nt) events, allows local users to cause a denial of service (panic) via unspecified vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Solaris 10 Virtual File System (VFS) may Lead to a Denial of Service (DoS) Condition Sun Solaris 10 Unspecified vulnerability in the Virtual File System (VFS) in Sun Solaris 10 allows local users to cause a denial of service (kernel memory consumption) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerabilities in the Solaris Trusted Extensions "labeld" Service May Lead to a Denial of Service (DoS) Condition Sun Solaris 10 Multiple unspecified vulnerabilities in labeld in Trusted Extensions in Sun Solaris 10 allow local users to cause a denial of service (multiple application hang) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. Nicholas Hansen DRAFT INTERIM ACCEPTED Nicholas Hansen INTERIM ACCEPTED ACCEPTED Security Vulnerability in the vuidmice(7M) STREAMS Modules May Lead to a Denial of Service (DoS) Condition Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 8, 9, and 10 allows local users with console (/dev/console) access to cause a denial of service ("unusable" system console) via unspecified vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in Solaris Named Pipes (pipe(2)) May Allow Unauthorized Data Access Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative value to the I_PEEK ioctl. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Security Vulnerability in the Human Interface Device (HID) Class Driver for Solaris Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in the Handling of Thread Contexts in the Solaris Kernel May Allow a Denial of Service (DoS) Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts." Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability With the Special File System (SPECFS) strfreectty() Function May Allow a Local Unprivileged User to Panic a System Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the strfreectty function in the Special File System (SPECFS) in Sun Solaris 8 through 10 allows local users to cause a denial of service (system panic), related to passing a NULL pointer to the pgsignal function. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED A Security Vulnerability in Solaris 10 ICMP Handling May Allow a SystemPanic and Result in Denial of Service (DoS) Sun Solaris 10 Unspecified vulnerability in Sun Solaris 10 before 20070130 allows remote attackers to cause a denial of service (system crash) via certain ICMP packets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED