The OVAL Repository 5.9 2012-01-27T05:11:14.756-05:00 Sun Solaris 9 Sun Solaris 10 X Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Xsun Unspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple unspecified vulnerabilities in the KSSL kernel module in Sun Solaris 10, when configured with the KSSL proxy, allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors related to "memory buffers" of Secure Socket Layer (SSL) records. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) on Sun Solaris 10 before 20070730 allows local users with PRIV_DTRACE_USER privileges to cause a denial of service (panic or hang) via unspecified use of certain DTrace programs. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. Robert L. Hollis DRAFT INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Heap-based buffer overflow in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 allows remote attackers to execute arbitrary code via crafted dimensions of JPEG data in an SWF file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the TCP Loopback/Fusion implementation in Sun Solaris 10 allows local users to cause a denial of service (resource exhaustion and service hang) via unspecified vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple unspecified vulnerabilities in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 allow attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple integer overflows in the imageop module in Python 2.5.1 and earlier allow context-dependent attackers to cause a denial of service (application crash) and possibly obtain sensitive information (memory contents) via crafted arguments to (1) the tovideo method, and unspecified other vectors related to (2) imageop.c, (3) rbgimgmodule.c, and other files, which trigger heap-based buffer overflows. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Cross-site scripting (XSS) vulnerability in Status.pm in Apache::Status and Apache2::Status in mod_perl1 and mod_perl2 for the Apache HTTP Server, when /perl-status is accessible, allows remote attackers to inject arbitrary web script or HTML via the URI. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple integer overflows in Python 2.5.2 and earlier allow context-dependent attackers to have an unknown impact via vectors related to the (1) stringobject, (2) unicodeobject, (3) bufferobject, (4) longobject, (5) tupleobject, (6) stropmodule, (7) gcmodule, and (8) mmapmodule modules. NOTE: The expandtabs integer overflows in stringobject and unicodeobject in 2.5.2 are covered by CVE-2008-5031. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Trusted Extensions in Sun Solaris 10 allows local users to gain privileges via vectors related to omission of unspecified libraries from software updates. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Adobe Flash Player 10.x before 10.0.42.34 and Adobe AIR before 1.5.3 might allow attackers to execute arbitrary code via unspecified vectors that trigger memory corruption. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 PerlRun.pm in Apache mod_perl before 1.30, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun Solaris 8 through 10 before 20070725 allows local users to read arbitrary files with root group ownership via unknown vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in the Verifier::parseExceptionHandlers function in Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 allows remote attackers to execute arbitrary code via an SWF file with a large exception_count value that triggers memory corruption, related to "generation of ActionScript exception handlers." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in the ImageStream::ImageStream function in Stream.cc in Xpdf before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, and CUPS pdftops, allows remote attackers to cause a denial of service (application crash) via a crafted PDF document that triggers a NULL pointer dereference or buffer over-read. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might allow attackers to execute arbitrary code via unspecified vectors that trigger memory corruption. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple integer overflows in imageop.c in Python before 2.5.3 allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via crafted images that trigger heap-based buffer overflows. NOTE: this issue is due to an incomplete fix for CVE-2007-4965. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Directory traversal vulnerability in the contains_dot_dot function in src/names.c in GNU tar allows user-assisted remote attackers to overwrite arbitrary files via certain //.. (slash slash dot dot) sequences in directory symlinks in a TAR archive. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Adobe Flash Player before 10.0.42.34 and Adobe AIR before 1.5.3 might allow attackers to execute arbitrary code via unspecified vectors, related to a "data injection vulnerability." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple integer overflows in Poppler 0.10.5 and earlier allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF file, related to (1) glib/poppler-page.cc; (2) ArthurOutputDev.cc, (3) CairoOutputDev.cc, (4) GfxState.cc, (5) JBIG2Stream.cc, (6) PSOutputDev.cc, and (7) SplashOutputDev.cc in poppler/; and (8) SplashBitmap.cc, (9) Splash.cc, and (10) SplashFTFont.cc in splash/. NOTE: this may overlap CVE-2009-0791. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 gzip Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Solaris component in Oracle Sun Product Suite 10 and OpenSolaris snv_01 through snv_98 allows local users to affect availability via unknown vectors related to the Kernel. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Sun Solaris 9 Access Manager Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P4, 9.5 before 9.5.2-P1, 9.6 before 9.6.1-P2, and 9.7 beta before 9.7.0b3, with DNSSEC validation enabled and checking disabled (CD), allows remote attackers to conduct DNS cache poisoning attacks by receiving a recursive client query and sending a response that contains an Additional section with crafted data, which is not properly handled when the response is processed "at the same time as requesting DNSSEC records (DO)," aka Bug 20438. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 ISC BIND 9.0.x through 9.3.x, 9.4 before 9.4.3-P5, 9.5 before 9.5.2-P2, 9.6 before 9.6.1-P3, and 9.7.0 beta does not properly validate DNSSEC (1) NSEC and (2) NSEC3 records, which allows remote attackers to add the Authenticated Data (AD) flag to a forged NXDOMAIN response for an existing domain. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Kerberos Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Sun Management Center component in Oracle Sun Product Suite 3.6.1 and 4.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Solaris Container Manager. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Solaris component in Oracle Sun Product Suite 10 and OpenSolaris snv_134 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Trusted Extensions. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. Robert L. Hollis DRAFT INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The ucode_ioctl function in intel/io/ucode_drv.c in Sun Solaris 10 and OpenSolaris snv_69 through snv_133, when running on x86 architectures, allows local users to cause a denial of service (panic) via a request with a 0 size value to the UCODE_GET_VERSION IOCTL, which triggers a NULL pointer dereference in the ucode_get_rev function, related to retrieval of the microcode revision. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Trusted Extensions in Sun Solaris 10 interferes with the operation of the xscreensaver-demo command for the XScreenSaver application, which makes it easier for physically proximate attackers to access an unattended workstation for which the intended screen locking did not occur, related to the "restart daemon." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 XScreenSaver in Sun Solaris 10, when the accessibility feature is enabled, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, a different vulnerability than CVE-2009-1276 and CVE-2009-2711. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Memory leak in the Sockets Direct Protocol (SDP) driver in Sun Solaris 10, and OpenSolaris snv_57 through snv_94, allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Solaris Trusted Extensions Policy configuration in Sun Solaris 10, and OpenSolaris snv_37 through snv_125, might allow remote attackers to execute arbitrary code by leveraging access to the X server. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the pollwakeup function in Sun Solaris 10, and OpenSolaris before snv_51, allows local users to cause a denial of service (panic) via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Use-after-free vulnerability in the frpr_icmp function in the ipfilter (aka IP Filter) subsystem in Sun Solaris 10, and OpenSolaris snv_45 through snv_110, allows remote attackers to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the SCTP implementation in Sun Solaris 10, and OpenSolaris before snv_120, allows remote attackers to cause a denial of service (panic) via unspecified packets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in rpc.nisd in Sun Solaris 8 through 10, and OpenSolaris before snv_104, allows remote authenticated users to cause a denial of service (NIS+ daemon hang) via unspecified vectors related to NIS+ callbacks. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM Matthew Wojcik ACCEPTED Pai Peng INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the keysock kernel module in Solaris 10 and OpenSolaris builds snv_01 through snv_108 allows local users to cause a denial of service (system panic) via unknown vectors related to PF_KEY socket, probably related to setting socket options. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in the dircmp script in Sun Solaris 8 through 10, and OpenSolaris snv_01 through snv_111, allows local users to overwrite arbitrary files, probably involving a symlink attack on temporary files. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in lpadmin in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to enumeration of "wrong printers," aka a "Temporary file vulnerability." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in Kerberos Incremental Propagation in Solaris 10 and OpenSolaris snv_01 through snv_110 allows remote attackers to cause a denial of service (loss of incremental propagation requests to slave KDC servers) via unknown vectors related to the master Key Distribution Center (KDC) server. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Race condition in the Solaris Auditing subsystem in Sun Solaris 9 and 10 and OpenSolaris before snv_121, when extended file attributes are used, allows local users to cause a denial of service (panic) via vectors related to "pathnames for invalid fds." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The kernel in Sun Solaris 8, 9, and 10, and OpenSolaris before snv_103, does not properly handle interaction between the filesystem and virtual-memory implementations, which allows local users to cause a denial of service (deadlock and system halt) via vectors involving mmap and write operations on the same file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 libike in Sun Solaris 9 and 10, and OpenSolaris before snv_100, does not properly check packets, which allows remote attackers to cause a denial of service (in.iked daemon crash) via an unspecified IKE packet, a different vulnerability than CVE-2007-2989. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 The IP-in-IP packet processing implementation in the IPsec and IP stacks in the kernel in Sun Solaris 9 and 10, and OpenSolaris snv_01 though snv_85, allows local users to cause a denial of service (panic) via a self-encapsulated packet that lacks IPsec protection. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in the pseudo-terminal (aka pty) driver module in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows local users to cause a denial of service (panic) via unspecified vectors related to lack of "properly sequenced code" in ptc and ptsl. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The IP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_82, uses an improper arena when allocating minor numbers for sockets, which allows local users to cause a denial of service (32-bit application failure and login outage) by opening a large number of sockets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the X Inter Client Exchange library (aka libICE) in Sun Solaris 8 through 10 and OpenSolaris before snv_85 allows context-dependent attackers to cause a denial of service (application crash), as demonstrated by a port scan that triggers a segmentation violation in the Gnome session manager (aka gnome-session). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the autofs module in the kernel in Sun Solaris 8 through 10, and OpenSolaris before snv_108, allows local users to cause a denial of service (autofs mount outage) or possibly gain privileges via vectors related to "xdr processing problems." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 tun in IP Tunnel in Solaris 10 and OpenSolaris snv_01 through snv_76 allows local users to cause a denial of service (panic) and possibly execute arbitrary code via a crafted SIOCGTUNPARAM IOCTL request, which triggers a NULL pointer dereference. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The PK11_SESSION cache in the OpenSSL PKCS#11 engine in Sun Solaris 10 does not maintain reference counts for operations with asymmetric keys, which allows context-dependent attackers to cause a denial of service (failed cryptographic operations) via unspecified vectors, related to the (1) RSA_sign and (2) RSA_verify functions. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp before 2.2.12 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple race conditions in the Solaris Event Port API in Sun Solaris 10 and OpenSolaris before snv_107 allow local users to cause a denial of service (panic) via unspecified vectors related to a race between the port_dissociate and close functions. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in Sun Solaris 8 through 10 allow local users to gain privileges via vectors related to handling of tags with (1) the -t option and (2) the :tag command in the (a) vi, (b) ex, (c) vedit, (d) view, and (e) edit programs. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 XScreenSaver in Sun Solaris 9 and 10, OpenSolaris before snv_120, and X11 6.4.1 for Solaris 8, when the Xorg or Xnewt server is used, allows physically proximate attackers to obtain sensitive information by reading popup windows, which are displayed even when the screen is locked, a different vulnerability than CVE-2009-1276. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request specifying a maximum message size smaller than the minimum IP MTU. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Buffer overflow in the kimgio library for KDE 3.4.0 allows remote attackers to execute arbitrary code via a crafted PCX image file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The Kerberos credential renewal feature in Sun Solaris 8, 9, and 10, and OpenSolaris build snv_01 through snv_104, allows local users to cause a denial of service (authentication failure) via unspecified vectors related to incorrect cache file permissions, and lack of credential storage by the store_cred function in pam_krb5. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Integer overflow in the seek_to_and_unpack_pixeldata function in the psd.c plugin in Gimp 2.2.15 allows remote attackers to execute arbitrary code via a crafted PSD file that contains a large (1) width or (2) height value. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the event port implementation in Sun Solaris 10 allows local users to cause a denial of service (panic) by submitting and retrieving user-defined events, probably related to a NULL dereference. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple format string vulnerabilities in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via format string specifiers in an SMB packet. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer signedness error in the ip_set_srcfilter function in the IP Multicast Filter in uts/common/inet/ip/ip_multi.c in the kernel in Sun Solaris 10 and OpenSolaris before snv_92 allows local users to execute arbitrary code in other Solaris Zones via an SIOCSIPMSFILTER IOCTL request with a large value of the imsf->imsf_numsrc field, which triggers an out-of-bounds write of kernel memory. NOTE: this was reported as an integer overflow, but the root cause involves the bypass of a signed comparison. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 rpc.metad in Sun Solaris 10 allows remote attackers to cause a denial of service (daemon crash) via a malformed RPC request. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The (1) sendfile and (2) sendfilev functions in Sun Solaris 8 through 10, and OpenSolaris before snv_110, allow local users to cause a denial of service (panic) via vectors related to vnode function calls. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 in.dhcpd in the DHCP implementation in Sun Solaris 8 through 10, and OpenSolaris before snv_103, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unknown DHCP requests related to the "number of offers," aka Bug ID 6713805. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The crypto pseudo device driver in Sun Solaris 10, and OpenSolaris snv_88 through snv_102, does not properly free memory, which allows local users to cause a denial of service (panic) via unspecified vectors, related to the vmem_hash_delete function. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the UFS module in Sun Solaris 8 through 10 and OpenSolaris allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via unknown vectors related to the Solaris Access Control List (ACL) implementation. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the namefs kernel module in Sun Solaris 8 through 10 allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the NFSv4 module in the kernel in Sun Solaris 10, and OpenSolaris snv_102 through snv_119, allows local users to cause a denial of service (client panic) via vectors involving "file operations." Aharon Chernin DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The (1) Simplified Chinese, (2) Traditional Chinese, (3) Korean, and (4) Thai language input methods in Sun Solaris 10 create files and directories with weak permissions under (a) .iiim/le and (b) .Xlocale in home directories, which might allow local users to write to, or read from, the home directories of other users. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the Internet Protocol (IP) implementation in Sun Solaris 8, 9, and 10 allows remote attackers to bypass intended firewall policies or cause a denial of service (panic) via unknown vectors, possibly related to ICMP packets and IP fragment reassembly. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in ppdmgr in Sun Solaris 10 and OpenSolaris snv_61 through snv_106 allows local users to cause a denial of service via unspecified vectors, related to a failure to "include all cache files," and improper handling of temporary files. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple race conditions in the CPU Performance Counters (cpc) subsystem in the kernel in Sun Solaris 10 allow local users to cause a denial of service (panic) via unspecified vectors related to kcpc_unbind and kcpc_restore. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the USB Mouse STREAMS module (usbms) in Sun Solaris 9 and 10, when 64-bit mode is enabled, allows local users to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The kernel in Sun Solaris 8 through 10 and OpenSolaris before snv_90 allows local users to bypass chroot, zones, and the Solaris Trusted Extensions multi-level security policy, and establish a covert communication channel, via unspecified vectors involving system calls. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) in Sun Solaris 10 allows local users with PRIV_DTRACE_USER or PRIV_DTRACE_PROC privileges to obtain sensitive kernel information via unspecified vectors, a different vulnerability than CVE-2007-4126. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the pthread_mutex_reltimedlock_np API in Sun Solaris 10 and OpenSolaris before snv_90 allows local users to cause a denial of service (system hang or panic) via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Russ Allbery pam-krb5 before 3.13, as used by libpam-heimdal, su in Solaris 10, and other software, does not properly handle calls to pam_setcred when running setuid, which allows local users to overwrite and change the ownership of arbitrary files by setting the KRB5CCNAME environment variable, and then launching a setuid application that performs certain pam_setcred operations. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the dotoprocs function in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 inetd on Sun Solaris 10, when debug logging is enabled, allows local users to write to arbitrary files via a symlink attack on the /var/tmp/inetd.log temporary file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Race condition in the STREAMS Administrative Driver (sad) in Sun Solaris 10 allows local users to cause a denial of service (panic) via unknown vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple stack-based buffer overflows in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via a crafted SMB packet. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in Solaris print service for Sun Solaris 8, 9, and 10 allow remote attackers to cause a denial of service or execute arbitrary code via unknown vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (CPU consumption and network traffic amplification) via a crafted SCTP packet. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in tar 1.14 through 1.15.90 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute code via unspecified vectors involving PAX extended headers. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 The xmlCurrentChar function in libxml2 before 2.6.31 allows context-dependent attackers to cause a denial of service (infinite loop) via XML containing invalid UTF-8 sequences. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in libdevinfo in Sun Solaris 10 allows local users to access files and gain privileges via unknown vectors, related to login device permissions. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the SCTP protocol implementation in Sun Solaris 10 allows remote attackers to cause a denial of service (panic) via a crafted SCTP packet. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in Sun Solaris 10 and OpenSolaris before snv_96 allows (1) context-dependent attackers to cause a denial of service (panic) via vectors involving creation of a crafted file and use of the sendfilev system call, as demonstrated by a file served by an Apache 2.2.x web server with EnableSendFile configured; and (2) local users to cause a denial of service (panic) via a call to the sendfile system call, as reachable through the sendfilev library. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the floating point context switch implementation in Sun Solaris 9 and 10 on x86 platforms might allow local users to cause a denial of service (application exit), corrupt data, or trigger incorrect calculations via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Sun Solaris 8, 9, and 10 allows "remote privileged" users to cause a denial of service (panic) via unknown vectors related to self encapsulated IP packets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer overflow in libexif 0.6.16 and earlier allows context-dependent attackers to execute arbitrary code via an image with crafted EXIF tags, possibly involving the exif_data_load_data_thumbnail function in exif-data.c. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in crontab on Sun Solaris 8 through 10, and OpenSolaris before snv_93, allows local users to insert cron jobs into the crontab files of arbitrary users via unspecified vectors. Nicholas Hansen DRAFT INTERIM Dragos Prisaca ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM Matthew Wojcik ACCEPTED Pai Peng INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the ioctl interface in the Solaris Volume Manager (SVM) in Sun Solaris 9 and 10 allows local users to cause a denial of service (panic) via unspecified vectors, a different vulnerability than CVE-2004-1346. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Kerberos MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Sun Solaris 9 Sun Solaris 8 Access Manager Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Internet Protocol (IP) functionality in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors, probably related to a UDP packet. Pai Peng DRAFT INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in the kernel in Sun Solaris 8 through 10 allow local users to cause a denial of service (panic), related to the support for retrieval of kernel statistics, and possibly related to the sfmmu_mlspl_enter or sfmmu_mlist_enter functions. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 patchadd The patchadd facility for Solaris 10 fails to install T-patches. Sun sometimes releases a T-patch as a temporary version of a patch prior to the final release of that patch. While this flaw does not directly represent a vulnerability, it does prevent the timely application of some (possibly critical) updates. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 10 ISC BIND 9 through 9.5.0a5 uses a weak random number generator during generation of DNS query ids when answering resolver questions or sending NOTIFY messages to slave name servers, which makes it easier for remote attackers to guess the next query id and perform DNS cache poisoning. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the kernel debugger (kmdb) in Sun Solaris 10, when running on x86, allows local users to cause a denial of service (system hang) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in the kernel in Sun Solaris 8 through 10 allows local users to cause a denial of service (panic) via unspecified vectors related to "the handling of thread contexts." Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060317, and Solaris 8 through 10 before 20061006, allows local users to overwrite arbitrary files, or read another user's Xsession errors file, via a symlink attack on a /tmp/xses-$USER file. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Argument injection vulnerability in the telnet daemon (in.telnetd) in Solaris 10 and 11 (SunOS 5.10 and 5.11) misinterprets certain client "-f" sequences as valid requests for the login program to skip authentication, which allows remote attackers to log into certain accounts, as demonstrated by the bin account. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The tcp_fuse_rcv_drain function in the Sun Solaris 10 kernel before 20061017, when TCP Fusion is enabled, allows local users to cause a denial of service (system crash) via a TCP loopback connection with both endpoints on the same system. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the kernel processing in Solaris 10 64 bit platform, when running in 64-bit mode, allows local users to cause a denial of service (system panic) via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Shane Shaffer INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the strfreectty function in the Special File System (SPECFS) in Sun Solaris 8 through 10 allows local users to cause a denial of service (system panic), related to passing a NULL pointer to the pgsignal function. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer signedness error in FIFO filesystems (named pipes) on Sun Solaris 8 through 10 allows local users to read the contents of unspecified memory locations via a negative maximum length value to the I_PEEK ioctl. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Buffer overflow in the format command in Solaris 8, 9, and 10 allows local users with access to format (such as the "File System Management" RBAC profile) to execute arbitrary code via unknown vectors, a different vulnerability than CVE-2006-4307. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 The libsldap library in Sun Solaris 8, 9, and 10 allows local users to cause a denial of service (Name Service Caching Daemon (nscd) crash) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Directory traversal vulnerability in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via a .. (dot dot) sequence in the LANG environment variable that points to a locale file containing attacker-controlled format string specifiers. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Race condition in the TCP subsystem for Solaris 10 allows remote attackers to cause a denial of service (system panic) via unknown vectors. Gyesi Amaniampong DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in Sun Solaris 8, 9 and 10 allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets, a different vulnerability than CVE-2006-5013. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in "Solaris Auditing" in the Basic Security Module (BSM) in Sun Solaris 10, when configured for auditing of networking (nt) events, allows local users to cause a denial of service (panic) via unspecified vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in Sun Solaris 10 allows context-dependent attackers to cause a denial of service (panic) via unspecified vectors involving the event port API. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in tip in Sun Solaris 8, 9, and 10 allow local users to gain uucp account privileges via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in inetd in Sun Solaris 10 before 20070529 allows local users to cause a denial of service (daemon termination) via unspecified manipulations of the /var/run/.inetd.uds Unix domain socket file. Pai Peng DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the HID (Human Interface Device) class driver in Sun Solaris 8, 9, and 10 before 20070925 allows local users to cause a denial of service (panic) via unspecified vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Buffer overflow in the dtsession Common Desktop Environment (CDE) Session Manager in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via unspecified vectors. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 pkgadd in Sun Solaris 10 before 20060825 installs files with insecure file and directory permissions (755 or 777) if the pkgmap file contains a "?" (question mark) in the mode field, which allows local users to modify arbitrary files or directories, a different vulnerability than CVE-2002-1871. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the vuidmice STREAMS modules in Sun Solaris 8, 9, and 10 allows local users with console (/dev/console) access to cause a denial of service ("unusable" system console) via unspecified vectors. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension in the X.Org X11 server (xserver) 7.1-1.1.0, and other versions before 20070403, allows remote authenticated users to execute arbitrary code via a large expression, which results in memory corruption. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the NFS client module in Sun Solaris 8 through 10 before 20070524, when operating as an NFS server, allows remote attackers to cause a denial of service (crash) via certain Access Control List (acl) packets. John Wregglesworth DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the Virtual File System (VFS) in Sun Solaris 10 allows local users to cause a denial of service (kernel memory consumption) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in NIS server on Sun Solaris 8, 9, and 10 allows local and remote attackers to cause a denial of service (ypserv hang) via unknown vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 srsexec in Sun Remote Services (SRS) Net Connect Software Proxy Core package in Sun Solaris 10 does not enforce file permissions when opening files, which allows local users to read the first line of arbitrary files via the -d and -v options. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in ld.so.1 in Sun Solaris 8, 9, and 10 allows local users to execute arbitrary code via large precision padding values in a format string specifier in the format parameter of the doprf function. NOTE: this issue normally does not cross privilege boundaries, except in cases of external introduction of malicious message files, or if it is leveraged with other vulnerabilities such as CVE-2006-6494. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Sun Solaris 10 before patch 118855-16 (20060925), when run on x64 systems using IPv6, allows remote attackers to cause a denial of service (kernel panic) via crafted IPv6 packets. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple unspecified vulnerabilities in labeld in Trusted Extensions in Sun Solaris 10 allow local users to cause a denial of service (multiple application hang) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 xscreensaver in Sun Solaris 10 before 20070604, when a GNOME session with Assistive Technology support is running, allows attackers with physical access to take control of the session after entering an Alt-Tab sequence. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer overflow in the bdfReadCharacters function in bdfread.c in (1) X.Org libXfont before 20070403 and (2) freetype 2.3.2 and earlier allows remote authenticated users to execute arbitrary code via crafted BDF fonts, which result in a heap overflow. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Buffer overflow in the Strcmp function in the XKEYBOARD extension in X Window System X11R6.4 and earlier, as used in SCO UnixWare 7.1.3 and Sun Solaris 8 through 10, allows local users to gain privileges via a long _XKB_CHARSET environment variable value. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 rcp on Sun Solaris 8, 9, and 10 before 20070710 does not properly call certain helper applications, which allows local users to gain privileges by creating files with certain names, possibly containing shell metacharacters or spaces, a similar issue to CVE-2006-0225. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in the Xsession script, as used by X Display Manager (xdm) in NetBSD before 20060212, X.Org before 20060225, and Solaris 8 through 10 before 20061006, causes a user's Xsession errors file to have weak permissions before a chmod is performed, which allows local users to read Xsession errors files of other users. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. Nicholas Hansen DRAFT INTERIM ACCEPTED Nicholas Hansen INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 gzip Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED