Some functions that implement the locale subsystem on Unix do not properly cleanse user-injected format strings, which allows local attackers to execute arbitrary commands via functions such as gettext and catopen.

Buffer overflow in ufsrestore in Solaris 8 and earlier allows local users to gain root privileges via a long pathname.

Buffer overflow in Solaris chkperm command allows local users to gain root access via a long -n option.

Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.

Buffer overflow in Solaris snoop allows remote attackers to gain root privileges via GETQUOTA requests to the rpc.rquotad service.

Buffer overflow in Solaris snoop program allows remote attackers to gain root privileges via a long domain name when snoop is running in verbose mode.

The dynamic linker in Solaris allows a local user to create arbitrary files via the LD_PROFILE environmental variable and a symlink attack.

The ToolTalk ttsession daemon uses weak RPC authentication, which allows a remote attacker to execute commands.

The CDE dtspcd daemon allows local users to execute arbitrary commands via a symlink attack.

Buffer overflow in the AddSuLog function of the CDE dtaction utility allows local users to gain root privileges via a long user name.

The BSD profil system call allows a local user to modify the internal data space of a program via profiling and execve.

sdtcm_convert in Solaris 2.6 allows a local user to overwrite sensitive files via a symlink attack.

Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd).

The Red Hat Linux su program does not log failed password guesses if the su process is killed before it times out, which allows local attackers to conduct brute force password guessing.

In Sun Solaris and SunOS, man and catman contain vulnerabilities that allow overwriting arbitrary files.

Solaris ff.core allows local users to modify files.

The passwd command in Solaris can be subjected to a denial of service.

Buffer overflow in Sun's ping program can give root access to local users.

SunOS/Solaris FTP clients can be forced to execute arbitrary commands from a malicious FTP server.

Multiple buffer overflows in how dtmail handles attachments allows a remote attacker to execute commands.