A local unprivileged user may be able to overwrite any file on the system due to a security vulnerability with the lpadmin(1M) utility.

A vulnerability in Java Web Start may allow an untrusted application to elevate its privileges. For example an application may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the Java Web Start application.

Security vulnerabilities in Samba may result in one or both of the following issues:

1. A buffer overflow may allow a remote unprivileged user the ability to execute arbitrary code with the privileges of Super User (typically root) on a Solaris 9 or Solaris 10 system running as a Samba server.

This issue is referenced in the following document:

• CAN-2004-0686 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0686

2. A security vulnerability may allow a remote unprivileged user the ability to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames.

This issue is referenced in the following document:

• CAN-2004-0815 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0815

A vulnerability in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges, with thanks, Adam Gowdiak, for bringing this issue to our attention.

There is a buffer overflow in the unprivileged telnet(1) utility. This is not a security vulnerability on its own. However, telnet(1) communicates with another host using the TELNET protocol and thus there is a small risk of a remote user successfully exploiting the overflow.

If a remote unprivileged user is able to cause a user to execute the telnet(1) utility on their client system, then that remote user may be able to execute arbitrary commands on the client system with the privileges of the user who executed telnet(1). The remote user may also be able to read the values of arbitrary shell environment variables of the user who executed telnet(1).

Sun acknowledges with thanks, iDEFENSE (http://www.idefense.com), for bringing these issues to our attention. These issues are also referenced in the following iDEFENSE documents:

IDEF0865 - Multiple Vendor Telnet Client Information Disclosure Vulnerability at http://www.idefense.com/application/poi/display?id=260

IDEF0866 - Multiple Telnet Client slc_add_reply() Buffer Overflow at http://www.idefense.com/application/poi/display?id=220

IDEF0867 - Multiple Telnet Client env_opt_add() Buffer Overflow at http://www.idefense.com/application/poi/display?id=221

These issues are also described in the following CAN documents:

CAN-2005-0468 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

CAN-2005-0469 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

CAN-2005-0488 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488

These issues are also described in the following CERT Vulnerability Notes:

VU#291924 at http://www.kb.cert.org/vuls/id/291924

VU#341908 at http://www.kb.cert.org/vuls/id/341908

VU#800829 at http://www.kb.cert.org/vuls/id/800829

There is a buffer overflow in the unprivileged kerberized telnet(1) utility of Sun Enterprise Authentication Mechanism (SEAM) Software for Solaris. This is not a security vulnerability on its own. However, kerberized telnet(1) communicates with another host using the TELNET protocol and thus there is a small risk of a remote user successfully exploiting the overflow.

If a remote unprivileged user is able to cause a user to execute the kerberized telnet(1) utility on their client system, then that remote user may be able to execute arbitrary commands on the client system with the privileges of the user who executed kerberized telnet(1). The remote user may also be able to read the values of arbitrary shell environment variables of the user who executed telnet(1).

Sun acknowledges with thanks, iDEFENSE (http://www.idefense.com), for bringing these issues to our attention. These issues are also referenced in the following iDEFENSE documents:

IDEF0865 - Multiple Vendor Telnet Client Information Disclosure Vulnerability at http://www.idefense.com/application/poi/display?id=260

IDEF0866 - Multiple Telnet Client slc_add_reply() Buffer Overflow at http://www.idefense.com/application/poi/display?id=220

IDEF0867 - Multiple Telnet Client env_opt_add() Buffer Overflow at http://www.idefense.com/application/poi/display?id=221

These issues are also described in the following CAN documents:

CAN-2005-0468 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0468

CAN-2005-0469 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0469

CAN-2005-0488 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0488

These issues are also described in the following CERT Vulnerability Notes:

VU#291924 at http://www.kb.cert.org/vuls/id/291924

VU#341908 at http://www.kb.cert.org/vuls/id/341908

VU#800829 at http://www.kb.cert.org/vuls/id/800829

A security vulnerability in the Sun ONE Application Server may disclose files on the system.

A local unprivileged user may be able to gain additional privileges due to a security issue in the C library (libc(3LIB)) and libproject(3LIB).