Several security vulnerabilities in the FreeType 2 type engine may allow a local unprivileged user to be able to execute arbitrary commands with the privileges of an application using FreeType 2 as a font service. These vulnerabilities may also allow a remote unprivileged user to either cause applications using FreeType 2 as a font service to crash (which is a Denial of Service (DoS)) or to execute arbitrary commands with the privileges of a local user.

More information about the FreeType 2 software font engine is available here:

http://savannah.nongnu.org/projects/freetype/

These issues are also referenced here:

CVE-2006-2661 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2661

CVE-2006-1861 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1861

CVE-2006-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0747

CVE-2006-3467 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3467

Two security vulnerabilities in Solaris ld.so.1(1) may allow a local unprivileged user to execute arbitrary code with elevated privileges.

Sun acknowledges with thanks, iDefense (http://www.idefense.com), for bringing these issues to our attention.

More information regarding these issues is available from the following iDefense advisories:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=449

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=450

Security vulnerabilities in OpenSSL (openssl(5)) affect Sun Grid Engine (SGE) 5.3 and N1 Grid Engine 6.0, and may allow a local or remote unprivileged user to create a Denial of Service (DoS) condition if the installation is configured in CSP mode.

A detailed description of the OpenSSL security issues can be found at

http://www.openssl.org/news/secadv_20060928.txt

which corresponds to the following documents:

CVE-2006-2937 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937

CVE-2006-2940 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940

CVE-2006-3738 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738

CVE-2006-2937 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4343

A security vulnerability in the Solaris 10 ICMP handling process may allow a remote unprivileged user to panic the system, resulting in a Denial of Service (DoS) condition.

A local or remote unprivileged user may be able to trigger a race condition in the kernel and panic a system with certain SNMP requests. A local unprivileged user may be able to trigger the same race condition and panic a local system using certain invocations of ifconfig(1M) or netstat(1M).

A "use-after-free" security vulnerability in sendmail(1M) relating to the handling of long header lines may allow a local or remote unprivileged user to fill up a disk if sendmail(1M) is configured to write unique core files. The core files created by sendmail(1M) would be written to the disk partition configured with coreadm(1M). The ability to consume all available space of a disk partition (which may be the root "/" partition) is a type of denial of service (DoS).

Additional information regarding this issue is available at:

• CVE-2006-4434 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4434

A security vulnerability in Solaris 8 or 9 handling of some malformed RPC requests may allow a local or remote unprivileged user to kill the rpcbind(1M) server, causing a Denial of Service (DoS) condition.

Sun acknowledges, with thanks, the BlueLane Research Team for bringing this issue to our attention.

The X Display Manager (xdm(1)) manages a collection of X displays which may be on the local host or remote servers. A race condition in the Xsession script executed by xdm(1) my lead to either of the following issues:

1. A local unprivileged user may be able to view the xdm(1) error log file, $HOME/.xsession-errors, of another user (BugID 6388471).

This issue is also described in Xorg bug 5897:

https://bugs.freedesktop.org/show_bug.cgi?id=5897

2. A local unprivileged user may be able to view the alternate xdm(1) error log file, ${TMP-/tmp}/xses-$USER, of another user. In addition, when this alternate log file is in use, a local unprivileged user may be able to erase the contents of arbitrary files which are writable by another user. This alternate log file is only used if the $HOME/.xsession-errors file could not be created (BugID 6423858).

This issue is also described in Xorg bug 5898:

https://bugs.freedesktop.org/show_bug.cgi?id=5898

Due to a security vulnerability in the Sun Ray Server Software, an unprivileged local user may be able to intercept the Sun Ray administrator's (utadmin) password when the administrator logs in to the Sun Ray Administration Tool.

In addition, a user who obtains read access to the Sun Ray private web server's logfile, or to a similar logfile on a proxy server, can extract the Sun Ray administrator's (utadmin) password. This would allow the user to gain unauthorized access to the Sun Ray Server Software with the privileges of the utadmin user.

Security vulnerabilities in the tip(1) command may allow a local unprivileged user the ability to execute arbitrary code with the privileges of user uucp(uid 5).

A security vulnerability in the kcms_calibrate(1) command may allow local unprivileged users to execute arbitrary commands with root privileges.

Sun acknowledges, with thanks, Cees-Bart Breunesse of the University of Nijmegen for bringing this issue to our attention.

A security vulnerability with the way StarOffice/StarSuite 6, 7 and 8 process Windows Metafile (.wmf) files may allow a remote unprivileged user the ability to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite.

Sun would like to acknowledge, with thanks, John Heasman of NGS Software Ltd. for bringing this issue to our attention.

This issue is also described in the following document:

CVE CAN-2006-5870 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-5870

A security vulnerability in the Sun Java System Content Delivery Server may allow local or remote unprivileged users unauthorized access to content details.

A security vulnerability in the Sun Ray Server 2.0 and 3.x Software (SRSS) utxconfig(1) utility may allow a local unprivileged user the ability to create or overwrite arbitrary files on the system.

Note: utxconfig(1) is the Sun Ray DTU X server configuration utility.