SUN : Security Vulnerabilities, CVEs, CVSS score between 4 and 4.99

Buffer overflow in SGI IRIX mailx program.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Kerberos 4 key servers allow a user to masquerade as another by breaking and generating session keys.

In SunOS, NFS file handles could be guessed, giving unauthorized access to the exported file system.

Solaris SUNWadmap can be exploited to obtain root access.

Buffer overflow in BNU UUCP daemon (uucpd) through long hostnames.

In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.

The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.

Buffer overflow in mail command in Solaris 2.7 and 2.7 allows local users to gain privileges via a long -m argument.

useradd in Solaris 7.0 does not properly interpret certain date formats as specified in the "-e" (expiration date) argument, which could allow users to login after their accounts have expired.

CDE screen lock program (screenlock) on Solaris 2.6 does not properly lock an unprivileged user's console session when the host is an NIS+ client, which allows others with physical access to login with any string.

Vulnerability in restore in SunOS 4.0.3 and earlier allows local users to gain privileges.

Solaris 2.4 before kernel jumbo patch -35 allows set-gid programs to dump core even if the real user id is not in the set-gid group, which allows local users to overwrite or create files at higher privileges by causing a core dump, e.g. through dmesg.

Buffer overflow in Star Office 5.1 allows attackers to cause a denial of service by embedding a long URL within a document.

Buffer overflow in the Xview library as used by mailtool in Solaris 8 and earlier allows a local attacker to gain privileges via the OPENWINHOME environment variable.

Buffer overflow in dtmail in Solaris 2.6 and 7 allows local users to gain privileges via the MAIL environment variable.

Buffer overflow in mailx in Solaris 8 and earlier allows a local attacker to gain additional privileges via a long '-F' command line option.

kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument.

Buffer overflow in the kcsSUNWIOsolf.so library in Solaris 7 and 8 allows local attackers to execute arbitrary commands via the KCMS_PROFILES environment variable, e.g. as demonstrated using the kcms_configure program.

Buffer overflow in mail included with SunOS 5.8 for x86 allows a local user to gain privileges via a long HOME environment variable.

pt_chmod in Solaris 8 does not call fdetach to reset terminal privileges when users log out of terminals, which allows local users to write to other users' terminals by modifying the ACL of a TTY.

Safe.pm 2.0.7 and earlier, when used in Perl 5.8.0 and earlier, may allow attackers to break out of safe compartments in (1) Safe::reval or (2) Safe::rdo using a redefined @_ variable, which is not reset between successive calls.

The dtscreen Sun Solaris 8 CDE screensaver crashes when the "Shift" and "Return" keys are pressed repeatedly and quickly, which allows local users to access the current session.

Buffer overflow in rcp in Solaris 9.0 allows local users to execute arbitrary code via a long command line argument.