Local unprivileged users may be able to gain unauthorized root access due to a security vulnerability in the Solaris runtime linker (ld.so.1(1)).

Security vulnerabilities in the gzip(1) command may result in one or both of the following issues:

1. An unprivileged local user may be able to change the permissions on another user's file if the targeted user is uncompressing a file in a directory which is writable by both users.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0988

2. An unprivileged local user may be able to create arbitrary files on the system if they can induce another user to decompress a specially crafted gzip-compressed file using either the "-N" or "--name" options to gzip(1) or gunzip (see gzip(1)). The new files would only be created in directories which the user running gzip(1) has permission to write to.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1228

A security vulnerability exists in the Netscape Network Security Services (NSS) tools "signtool" and "modutil". When either program attempts to "unzip" a maliciously constructed JAR, WAR, XPI or ZIP file, it is possible for code in that zip file to take over the running program and then perform tasks with the privilege of the user running the program.

This issue is described by the United States Computer Emergency Readiness Team at:

• http://www.kb.cert.org/vuls/id/680620

This issue is also described in CAN-2005-2096 at:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096

A security vulnerability in Solaris 10 may allow a local unprivileged user the ability to cause a system panic in the "/proc" (see proc(4)) filesystem, creating a Denial of Service (DoS).

Note: This issue applies to Solaris 10 systems with and without zones. Systems with one or more zones installed may experience this issue in both the global and non-global zone(s).

Multiple security vulnerabilities in Solaris 10 SCTP Socket Option Processing (see sctp(7P)) may allow an unprivileged local user to panic the system, resulting in a Denial of Service (DoS).

A security vulnerability in the Solaris 10 file system "privilege management" feature may allow a local unprivileged user the ability to panic a system, resulting in a Denial of Service (DoS).

A security issue with Process File System (procfs) may allow a local unprivileged user to have visibility of process working directories for all other system and user processes. This may lead to users being able to see file names in directories that might otherwise be inaccessible.

A security vulnerability in certain releases of the Sun Java System Application Server (listed below) may allow a remote unprivileged user the ability to view the source code of Java Server pages.

The remount option (-r) of umount(8) may allow a local unprivileged user who has privileges to unmount a filesystem the ability to gain additional privileges, such as removing the "nosuid" flag from a filesystem.

This issue is described in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2876

An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with root privileges on Kerberos Key Distribution Center (KDC) systems and thus compromise an entire Kerberos realm due to a heap buffer overflow.

The unprivileged remote user may also be able to trigger an invalid free() and thus crash the KDC daemon (krb5dkc(1M)) on KDC systems thereby creating a Denial of Service (DoS).

These issues are described in MIT krb5 Security Advisory 2005-002, at

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt

These issues are also described in

CERT Vulnerability VU#259798 at http://www.kb.cert.org/vuls/id/259798

CERT Vulnerability VU#885830 at http://www.kb.cert.org/vuls/id/885830

and:

CAN-2005-1174 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

CAN-2005-1175 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

A security vulnerability in the XFree86(1) X server may allow a local unprivileged user the ability to execute arbitrary code with the privileges of the XFree86(1) X server due to an integer overflow in the X Pixmap (Xpm) format image file creation routines.

This issue is described in the following document: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2495