A security vulnerability which affects the sshd(1M) daemon when configured to use protocol version 1 may allow a remote user to cause the daemon to consume an excessive amount of CPU power. This will affect the performance and responsiveness of the system as a whole, resulting in a denial of service (DoS) to the system.

This issue is also referenced in the following document:

CVE-2006-4924 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4924

A remote unprivileged user may be able to crash an application which dynamically links to the Portable Network Graphics library (libpng(3)) due to a security vulnerability in libpng(3). The ability to crash an application is a type of Denial of Service (DoS). A number of applications which comprise the GNOME desktop environment dynamically link with libpng(3).

This issue is described in the following documents:

• CERT VU# 684664 at: https://www.kb.cert.org/vuls/id/684664
• CVE-2007-2445 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2445

A vulnerability in Java Web Start may allow an untrusted application to grant itself permissions to overwrite any file that is writable by the user running the application. This would include the user's .java.policy file which would allow the application to invoke applets or Java Web Start applications that can execute arbitrary code with the permissions of the user running the untrusted application.

Sun acknowledges, with thanks, John Heasman of NGSSoftware Limited, for bringing this issue to our attention.

An unprivileged local user may be able to exhaust all available kernel memory and cause the system to hang due to a security vulnerability in the TCP Loopback/Fusion implementation in Solaris 10. The ability to hang a system is a type of Denial of Service (DoS).

An unprivileged local user may be able to execute arbitrary code or commands with the privileges of the dtsession(1X) Common Desktop Environment (CDE) Session Manager. The dtsession(1X) CDE Session Manager runs with root privileges.

Due to security vulnerabilities related to the handling of memory buffers containing Secure Socket Layer (SSL) records, an unprivileged local or remote user may be able to panic a Solaris 10 system that has been configured to act as a SSL proxy. This would result in a Denial of Service (DoS) to the system.

Due to a security vulnerability in the way the scp(1) command executes helper applications, certain additional unintended commands may be executed at the same time. This may allow a local unprivileged user (or a remote user in the case of shared filesystems) who is able to create files on the system, to execute arbitrary commands with the privileges of a local user, if those files are acted upon by the local user using the scp(1) command.

This issue is also referenced in the following document:

CVE-2006-0225 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225

A security vulnerability in the Solaris libsldap library may allow a local unprivileged user to disable the Name Service Caching Daemon (see nscd(1M)) causing name service lookups to be slower (as caching will not occur), therefore causing a Denial of Service (DoS) condition.

The GnuTLS library version prior to 1.4.4 is impacted by an RSA signature forgery vulnerability. This vulnerability, which affects applications which make use of the GnuTLS library to verify PKCS#1 signatures, allows a malicious user to make an altered PKCS#1 v1.5 signature appear to be correct thus forging the signature.

This issue is described in the following documents:

• GNUTLS-SA-2006-4 at: http://www.gnutls.org/security.html
• CVE-2006-4790 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4790

The issue described in this Sun Alert is specific to the GnuTLS library. Multiple Sun products are affected by this issue. For more details please see Sun Alert 102648 at:

• http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

Note: Evolution uses the GnuTLS library and is impacted by this issue.

A security vulnerability in Solaris 10 BIND DNSSEC may allow a local or remote unprivileged user the ability to cause the "named" BIND server process to exit (see also named(1M)). A Denial of Service (DoS) occurs as clients are unable to resolve addresses from or make dynamic updates to the server.

This issue is also referenced in the following document:

CVE-2007-0494 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0494

Opening manipulated documents which trigger an overflow in the freetype library may allow arbitrary command execution on the system with the privileges of the user running StarOffice/StarSuite.

This issue is referenced in the following document:

    CVE-2007-2754 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-2754

A security vulnerability with the way StarOffice/StarSuite 6, 7 and 8 process Rich Text Format (RTF) documents may allow a remote unprivileged user who provides a StarOffice/StarSuite RTF document that is opened by a local user the ability to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite.

Sun acknowleges with thanks, John Heasman from NGS Software Ltd (www.ngssoftware.com) for bringing this issue to our attention.

This issue is referenced in the following document:

CVE-2007-0245 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0245

An unprivileged local or remote user may be able to panic a Solaris 10 system which is configured to use IPv6 (ip6(7p)) but is not configured to use the IPsec stack (ipsec(7P)), therefore causing a Denial of Service to the system as a whole.

A divide by zero security vulnerability exists in the X11 Render Extension to the X11 display server Xorg(1). By using specially crafted values for compositing or adding trapezoids, a local or remote unprivileged user who is able to display data on a running X11 server instance may cause a divide by zero error within the X11 Render Extension. This would cause the X11 display server Xorg(1) to crash, resulting in a denial of service (DoS) to the Xorg(1) server.

This issue is described in the following document:

• http://www.rapid7.com/advisories/R7-0027.jsp