Buffer overflow in eeprom in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

Buffer overflow in chkey in Solaris 2.5.1 and earlier allows local users to gain root privileges via a long command line argument.

SunOS 4.1.4 on a Sparc 20 machine allows local users to cause a denial of service (kernel panic) by reading from the /dev/tcx0 TCX device.

Buffer overflow in Xt library of X Windowing System allows local users to execute commands with root privileges.

NFS cache poisoning.

Buffer overflow of rlogin program using TERM environmental variable.

ypbind with -ypset and -ypsetme options activated in Linux Slackware and SunOS allows local and remote attackers to overwrite files via a .. (dot dot) attack.

The Sun sdtcm_convert calendar utility for OpenWindows has a buffer overflow which can gain root access.

Arbitrary file creation and program execution using FLEXlm LicenseManager, from versions 4.0 to 5.0, in IRIX.

Sendmail allows local users to write to a file and gain group permissions via a .forward or :include: file.

Buffer overflow in lpr, as used in BSD-based systems including Linux, allows local users to execute arbitrary code as root via a long -C (classification) command line option.

Local user gains root privileges via buffer overflow in rdist, via lookup() function.

Delete or create a file via rpc.statd, due to invalid information.

Buffer overflow in syslog utility allows local or remote attackers to gain root privileges.

SunOS sendmail 5.59 through 5.65 uses popen to process a forwarding host argument, which allows local users to gain root privileges by modifying the IFS (Internal Field Separator) variable and passing crafted values to the -oR option.

The permissions for the /dev/audio device on Solaris 2.2 and earlier, and SunOS 4.1.x, allow any local user to read from the device, which could be used by an attacker to monitor conversations happening near a machine that has a microphone.