A security vulnerability in the Special File System (SPECFS) strfreectty() function may allow an unprivileged local user to panic the system, creating a Denial of Service (DoS).

Security vulnerabilities in certain ioctl(2) functions in the ata(7D) disk driver may allow a local unprivileged user to panic the system, causing a Denial of Service (DoS) condition.

The JavaScript Engine in the Mozilla 1.7 application (see mozilla(1)) contains a vulnerability which may allow a remote user who is able to create a web page which is visited by a local user using the Mozilla browser, or who sends a specially crafted email that is read by a local user using Mozilla, to either cause the Mozilla application to crash or execute arbitrary code with the privileges of the user running Mozilla. The ability of a remote user to cause the Mozilla application to crash is a type of Denial of Service (DoS).

This issue is described in the following documents:

• Mozilla Foundation Security Advisory 2006-68 at: http://www.mozilla.org/security/announce/2006/mfsa2006-68.html
• CVE-2006-6498 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6498
• CERT VU#447772 at: http://www.kb.cert.org/vuls/id/447772
• CERT Technical Cyber Security Alert TA06-354A at: http://www.us-cert.gov/cas/techalerts/TA06-354A.html

Note: There are a total of 10 bugzilla bugs listed for CVE 2006-6498. Out of these bugs, only one bug (https://bugzilla.mozilla.org/show_bug.cgi?id=361346) is applicable to Sun Mozilla 1.7. The other 9 bugs are not applicable.

A number of memory corruption vulnerabilities have been found in the Mozilla application which may allow a remote user who is able to create a web page which is visited by a local user using the Mozilla browser, or who sends a specially crafted email that is read by a local user using Mozilla, to either cause the Mozilla application to crash or execute arbitrary code via Javascript with the privileges of the user running Mozilla. The ability of a remote user to cause the Mozilla application to crash is a type of Denial of Service (DoS).

The following Mozilla advisory describes nine separate memory corruption issues:

• http://www.mozilla.org/security/announce/mfsa2006-55.html

This Sun Alert corresponds to the following five issues described in the Mozilla advisory above:

FireMenuItemActiveEvent called at unsafe times (Boris Zbarsky):

• https://bugzilla.mozilla.org/show_bug.cgi?id=336162

Potential string class buffer overruns in out-of-memory case (Darin Fisher, Daniel Veditz):

• https://bugzilla.mozilla.org/show_bug.cgi?id=284219

Crashes involving table row and column groups (Jesse Ruderman, Martijn Wargers):

• https://bugzilla.mozilla.org/show_bug.cgi?id=331679
• https://bugzilla.mozilla.org/show_bug.cgi?id=329900

crypto.generateCRMFRequest callback can run on deleted context (shutdown):

• https://bugzilla.mozilla.org/show_bug.cgi?id=337462

Note: Mozilla 1.7 is not affected by the below vulnerabilities mentioned in the advisory:

Crashes referencing removed nodes (Jesse Ruderman, Martijn Wargers):

• https://bugzilla.mozilla.org/show_bug.cgi?id=338391
• https://bugzilla.mozilla.org/show_bug.cgi?id=340733

Additional references:

• http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811
• http://www.kb.cert.org/vuls/id/527676
• http://www.us-cert.gov/cas/techalerts/TA06-208A.html

Two security vulnerabilities in the Solaris 8 Role Based Access Control (RBAC) mechanism on hosts on which RBAC roles (see rbac(5)) have been created may allow a remote user who knows the passwords for certain roles to gain unauthorized access to the system via the role accounts. If the root user has been assigned a role, a remote user who knows the password for that role may gain unauthorized root privileges on the system.

A vulnerability in the font parsing code in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges, with thanks, John Heasman of NGSSoftware, for bringing this issue to our attention.

A security vulnerability in the Kerberos administration daemon (kadmind(1M)) may allow a remote authenticated user to be able to execute arbitrary commands on Kerberos Key Distribution Center(KDC) systems with the privilegs of the kadmind(1M) daemon (usually root). This issue may also allow the remote user to compromise the Kerberos key database or cause the kadmind(1M) daemon to crash, which is a form of Denial of Service (DoS).

This issue is referenced in the following documents:

• http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
• CVE-2007-2798 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798

A security vulnerability in the kadm5 library shipped with Solaris may allow a remote authenticated user to command a host running kadmind(1M) and execute arbitrary code with the privileges of the kadmind process (usually 'root'). This issue affects systems configured as Kerberos Key Distribution Centers(KDC).

In addition, this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, causing a Denial of Service(DOS).

This issue is also described in the following documents:

CVE-2007-0957 at

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957

MIT krb5 Security Advisory 2007-002 at

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt

Multiple security vulnerabilities in the Solaris Gnome PDF Document Viewer (gpdf(1)) may allow a local or remote unprivileged user to cause the PDF Document Viewer application to crash or hang (potentially consuming excessive amounts of disk space, which may affect system performance), or may allow that user to execute arbitrary code with the privileges of the user opening a specially crafted PDF document with gpdf(1). The ability to crash or hang the gpdf(1) application or to cause it to consume excess disk space, are all types of Denial of Service (DoS).

These issues are also referenced in the following documents:

• CVE-2005-3191 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3191
• CVE-2005-3192 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3192
• CVE-2005-3193 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3193
• CVE-2005-3624 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3624
• CVE-2005-3625 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3625
• CVE-2005-3626 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3626
• CVE-2005-3627 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3627
• CVE-2005-2097 at: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2097

Sun Java System Portal Server Software 7.0 may not securely process XSLT style sheets contained in XSLT Transforms in XML Signatures. This may allow malicious XLST style sheets to be executed. For example, an arbitrary Java method could be executed due to this vulnerability.

Sun acknowledges, with thanks, Brad Hill of iSEC Partners, for bringing this issue to our attention.

A vulnerability in Sun Java System Web Server may allow improper HTTP header injection, HTTP response splitting attacks and unauthorized access to resources.

A security vulnerability in the DTrace (see dtrace(1M)) dynamic tracing framework may allow a local user who has privileges to run certain DTrace programs to cause the system to panic or become unresponsive. This is a type of Denial of Service (DoS). The minimum privilege required is the PRIV_DTRACE_USER privilege (see privileges(5)).