An unprivileged local user within a Linux branded zone (see lx(5)) may be able to panic Solaris 10 x86 systems running in 64bit mode. Being able to panic a system is a type of Denial of Service (DoS).

Multiple security vulnerabilities in the Solaris Tag Image File Format library (libtiff(3)) may allow a local or remote unprivileged user to crash applications that dynamically link to the "libtiff" library and execute arbitrary code with the privileges of a local user. The ability to crash an application that links to the "libtiff" library is a type of Denial of Service (DoS). Solaris ships several applications as part of the GNOME Desktop Environment that dynamically link with the "libtiff" library.

These issues are described in the following documents:

CVE-2006-2024 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2024

CVE-2006-2025 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2025

CVE-2006-2026 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2026

Sun acknowledges with thanks, Tavis Ormandy from the Google Security Team for bringing these issues to our attention.

A security vulnerability with Fibre Channel Protocol driver (fcp(7D)) and Devices File System (devfs(7FS)) in Solaris 10 may allow a local unprivileged user to cause commands such as cfgadm(1M) or format(1M) to hang when run, or cause the system as a whole to hang. This is a type of denial of service (DoS) to the system.

Note: This issue may also occur accidentally and not as a result of a Denial of Service attempt.

Multiple security vulnerabilities exist in the Tag Image File format library (libtiff(3)) which may affect applications making use of this library. Depending on the individual application, these vulnerabilities may allow a local or remote unprivileged user to cause a Denial of Service (DoS) to the application, or to execute arbitrary code with the privileges of the application.

These issues are described in the following documents:

• CVE-2006-3459 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3459
• CVE-2006-3460 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3460
• CVE-2006-3461 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3461
• CVE-2006-3462 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3462
• CVE-2006-3463 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3463
• CVE-2006-2193 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2193
• CVE-2006-3464 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3464
• CVE-2006-3465 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3465

Sun acknowledges with thanks, Travis Ormandy from the Google Security Team for reporting these issues.

A race condition security vulnerability in the Solaris Remote Procedure Call (RPC) Module may allow a local unprivileged user to panic the system, resulting in a Denial of Service (DoS) condition.

A security vulnerability in the RSA signature verification implementation in the OpenSSL product may incorrectly verify data signed with a forged signature. This will affect applications which make use of OpenSSL to verify RSA signatures. The direct impact to these applications will depend on the way in which this signed data is used.

OpenSSL is shipped with Solaris 10 (see openssl(5)). This library is not shipped with Solaris 9, however, a number of Solaris 9 applications statically link against this library and may be affected by these vulnerabilities. This Sun Alert provides details about the individual patches which should be installed to update the OpenSSL product on Solaris 10 and all potentially impacted Solaris 9 applications.

This issue is also described in the following documents:

• CERT VU#845620 at: http://www.kb.cert.org/vuls/id/845620
• CVE-2006-4339 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

Note: The issue described in this Sun Alert is specific to the OpenSSL shipped with Solaris. Multiple Sun products are affected by this issue. For more details please see Sun Alert 102648.

Unprivileged local or remote users may be able to kill the SunForum process due to its improper handling of H.323 traffic. This is a type of Denial of Service (DoS).

This issue is described in NISCC Vulnerability Advisory 006489/H323 (see: http://www.uniras.gov.uk/vuls/2004/006489/h323.htm) which is referenced in CERT Advisory CA-2004-01 (see: http://www.cert.org/advisories/CA-2004-01.html).

Multiple vulnerabilities in the OpenSSL product impact the Solaris WAN boot software.

An RSA signature forgery vulnerability may allow an untrusted server or client to present a forged identity to the other party during remote software installation when SSL is in use with certain types of certificates. This would allow the security restrictions of that SSL configuration to be circumvented.

Additionally, security vulnerabilities in the ASN.1 parser implementation and public key handling in the OpenSSL library may allow a user who is running a client system that is able to connect to a WAN Boot installation server to cause a Denial Of Service (DoS) to that server. This could prevent the server from providing service to WAN Boot clients. Clients connecting to an untrusted server may also be impacted by this issue.

Note that the WAN Boot software uses a static version of the OpenSSL libraries, meaning that the Solaris 10 resolution for Sun Alert 102744, which corrects applications dynamically linking to the Solaris OpenSSL libraries, is not sufficient to resolve this issue for the WAN Boot software. This Sun Alert will describe the full impact and resolution for the WAN Boot software.

These issues are also described in the following documents:

CERT VU#845620 at http://www.kb.cert.org/vuls/id/845620

CVE-2006-4339 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339

http://www.openssl.org/news/secadv_20060928.txt

CVE-2006-2937 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937

CVE-2006-2940 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940

Note: This Sun Alert is specific to the Solaris WAN Boot software. Multiple Sun products are affected by the RSA signature forgery issue; for more details please see Sun Alert 102648 at

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1

Two security vulnerabilities in the OpenSSL product may lead to a Denial of Service (DoS) in applications which make use of this product. Depending on the individual application, these vulnerabilities may allow a local or remote unprivileged user to provide data to the application which will cause it to consume excessive amounts of CPU time or system memory.

OpenSSL is shipped with Solaris 10 (see openssl(5)). This library is not shipped with Solaris 9, however, a number of Solaris 9 applications statically link against this library and may be affected by these vulnerabilities. This Sun Alert provides details about the individual patches which should be installed to update the OpenSSL product on Solaris 10 and all potentially impacted Solaris 9 applications.

These issues are also referenced at the following URLs:

• http://www.openssl.org/news/secadv_20060928.txt
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2937
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2940

The WAN Boot application, which is shipped with Solaris 9 and Solaris 10, is impacted by these vulnerabilities. For more information, please see Sun Alert 102759.

A security vulnerability in the Solaris Volume Manager (SVM) ioctl(2) interface may allow a local unprivileged user the ability to cause a system panic, which is a type of Denial of Service (DoS).

A format string security vulnerability in the Sun Remote Services (SRS) Net Connect Software may allow an unprivileged local user to execute arbitrary code with root privileges.

Sun acknowledges with thanks, Sean Larsson of iDefense Labs (http://www.idefense.com) for bringing this issue to our attention.

This issue is also described in the following document:

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=610