Multiple security vulnerabilities exist in the X11 FreeType library and  X11 display servers Xsun(1) and Xorg(1).

The XC-MISC extension is used by the X11 display servers to manage resource IDs. A local or remote unprivileged user who is able to display data on a running X11 server instance may be able to elevate their privileges to root and execute arbitrary code or cause a Denial of Service (DOS) to that X11 server instance resulting from memory corruption in ProxXCMiscGetXIDList.

This issue is described in the following documents:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=503

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1003

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

The X11 display servers contain a flaw that may allow a local or remote unprivileged user who is able to display data on a running X11 server instance to elevate their privileges to root and execute arbitrary code or cause a Denial of Service (DOS) to that X11 server instance when a BDF font file specifies that there are more then 2^30 characters defined in the font file.

This issue is described in the following documents:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=501

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1351

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

The X11 Free Type library and X11 display servers contain a flaw that may allow a local or remote unprivileged user who is able to display data on a running X11 server instance to elevate their privileges to root and execute arbitrary code or cause a Denial of Service (DOS) to that X11 server instance by causing the server to load a long path name in the fonts.dir file for a font.

This issue is described in the following documents:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=502

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1352

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

A Security Vulnerability in Low Bandwidth X proxy (lbxproxy(1)) may allow a local unprivileged user, the ability to read some data from any file that has group ownership of root on the system.

lbxproxy(1) is used for making connections to the X11 Display Server (Xserver or Xorg) faster over a low bandWidth connection.

Sun acknowledges with thanks, Charles Morris, Old Dominion University, for discovering and reporting this issue.

A buffer overflow vulnerability in libX11 may allow a local unprivileged user to be able to execute arbitrary code or commands with elevated privileges. The code or commands executed would run with the privileges of the application dynamically linked to the libX11 library. A number of programs shipped in Solaris and by third parties dynamically link with the libX11 library and run with elevated privileges. Applications that call XInitImage() with user-controllable parameters may be vulnerable, such as xwud(1) and ImageMagick, when loading X Window Dump (xwd) files with incorrect parameters.

This issue is described in the following documents:

CVE-2007-1667 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1667

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

A security vulnerability in the Java Runtime Environment Applet Class Loader may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on the local host, as if it were loaded from the system that the applet is running on. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to.

Sun acknowledges with thanks, John Heasman of NGSSoftware, for bringing this issue to our attention.

A buffer overflow vulnerability in processing GIF images in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the untrusted applet.

Sun acknowledges with thanks, an anonymous researcher working with the Zero Day Initiative (http://www.zerodayinitiative.com/) and TippingPoint (http://www.tippingpoint.com) for bringing this issue to our attention.

More information regarding this issue is available at:

• ZDI advisory ZDI-07-005 at: http://www.zerodayinitiative.com/advisories/ZDI-07-005.html
• CVE-2007-0234 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0234

Security vulnerabilities in the Network Security Services (NSS) implementation of SSL2 may affect both SSL clients (such as browsers) and SSL servers which make use of this library. As a result, the client or server may exit unexpectedly, which is a type of Denial of Service (DoS). For servers running on Microsoft Windows, they may present a remote code execution vulnerability.

These vulnerabilities are in NSS's implementation of SSL2, not in the SSL2 protocol itself.

Note: NSS is a set of libraries that implement SSL2, SSL 3.0 and TLS (SSL 3.1). NSS is widely used. It is used in the Mozilla family of browsers offered by Sun to Solaris users. It is also used in the "Java Enterprise Server" (JES) family of server products, including Web server, Directory Server, Messaging Server, Application Server, Portal Server, and others. It is used for the built-in LDAPS client in Solaris 9 and 10 which may be used as part of the Solaris login program.

This issue is also described in the following documents:

• CVE-2007-0008 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0008
• CVE-2007-0009 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0009
• CERT VU#377812 at: http://www.kb.cert.org/vuls/id/377812
• CERT VU#592796 at: http://www.kb.cert.org/vuls/id/592796

When the debug level within Sun Java System Access Manager (formerly Sun Java System Identity Server) is set to "message," login passwords may be logged in plain text and are therefore readable by local unprivileged users. This would allow that user to gain unauthorized access to user identities which are managed by Sun Java System Access Manager.

The Java XML Digital Signature implementation that is included in the JDK and JRE 6 release does not securely process XSLT stylesheets contained in XSLT Transforms in XML Signatures. This could lead to the execution of arbitrary code with the permissions of the application processing XML signatures that include these XSLT stylesheets.

Sun acknowledges with thanks, Brad Hill of iSEC Partners, for bringing this issue to our attention.

A security vulnerability in the way the rcp(1) command invokes helper applications may allow a local unprivileged user (or a remote user in the case of shared filesystems) to create files with specially crafted file names which could lead to the execution of arbitrary commands with the privileges of a local user when that local user executes the rcp(1) command on the specially crafted file names.

Note: The scp(1) utility is also affected by this issue which is described in the following documents:

CVE-2006-0225 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225

Sun Alert 102961 at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1

A buffer overflow vulnerability in the Java Web Start URL parsing code may allow an untrusted application to elevate its privileges. For example, an application may grant itself permissions to read and write local files or execute local applications with the privileges of the user running the Java Web Start application.

Sun acknowledges with thanks, Brett Moore of Security-Assessment.com for discovering and reporting this issue.

Sun also acknowledges eEye Digital Security for bringing this issue to our attention.

The Java Secure Socket Extension (JSSE) that is included in various releases of the Java Runtime Environment does not correctly process SSL/TLS handshake requests. This vulnerability may be exploited to create a Denial of Service (DoS) condition to the system as a whole on a server that listens for SSL/TLS connections using JSSE for SSL/TLS support.

Sun acknowledges with thanks, Cisco Systems for bringing this issue to our attention.

A defect in the Javadoc tool in various releases of the JDK may lead to the generation of HTML documentation pages which contain a potential cross-site scripting (XSS) vulnerability. This may allow a remote user to gain access to cookies from the website that hosts the generated documentation.

Sun acknowledges, with thanks, Martin Straka, for bringing this issue to our attention.

A security vulnerability in the implementation of the RPCSEC_GSS API, which impacts applications utilizing this API (rpcsec_gss(3NSL)) such as the kadmind(1M) daemon, may allow execution of arbitrary commands. In the case of Kerberos Key Distribution Centers(KDC) (which run kadmind(1M)) an unprivileged and unauthenticated remote user may be able to execute arbitrary commands on the system with the privileges of the kadmind(1M) daemon (usually 'root').

In addition, on KDC systems this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, which is a form of Denial of Service (DoS).

This issue is referenced in the following documents:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-004.txt

CVE-2007-2442 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2442