The Coda filesystem kernel module, as used in NetBSD and FreeBSD, when Coda is loaded and Venus is running with /coda mounted, allows local users to read sensitive heap memory via a large out_size value in a ViceIoctl struct to a Coda ioctl, which triggers a buffer over-read.

FreeBSD 7.1 through 8.1-PRERELEASE does not copy the read-only flag when creating a duplicate mbuf buffer reference, which allows local users to cause a denial of service (system file corruption) and gain privileges via the sendfile system call.

Off-by-one error in the __opiereadrec function in readrec.c in libopie in OPIE 2.4.1-test1 and earlier, as used on FreeBSD 6.4 through 8.1-PRERELEASE and other platforms, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long username, as demonstrated by a long USER command to the FreeBSD 8.0 ftpd.

The replay functionality for ZFS Intent Log (ZIL) in FreeBSD 7.1, 7.2, and 8.0, when creating files during replay of a setattr transaction, uses 7777 permissions instead of the original permissions, which might allow local users to read or modify unauthorized files in opportunistic circumstances after a system crash or power failure.

The NET_TCP_LISTEN function in net.c in Zabbix Agent before 1.6.7, when running on FreeBSD or Solaris, allows remote attackers to bypass the EnableRemoteCommands setting and execute arbitrary commands via shell metacharacters in the argument to net.tcp.listen. NOTE: this attack is limited to attacks from trusted IP addresses.

freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) freebsd-update upgrade (upgrade) operation.

The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1 and 8.0 does not clear the (1) LD_LIBMAP, (2) LD_LIBRARY_PATH, (3) LD_LIBMAP_DISABLE, (4) LD_DEBUG, and (5) LD_ELF_HINTS_PATH environment variables, which allows local users to gain privileges by executing a setuid or setguid program with a modified variable containing an untrusted search path that points to a Trojan horse library, different vectors than CVE-2009-4146.

The _rtld function in the Run-Time Link-Editor (rtld) in libexec/rtld-elf/rtld.c in FreeBSD 7.1, 7.2, and 8.0 does not clear the LD_PRELOAD environment variable, which allows local users to gain privileges by executing a setuid or setguid program with a modified LD_PRELOAD variable containing an untrusted search path that points to a Trojan horse library, a different vector than CVE-2009-4147.

Opera before 10.00 on Linux, Solaris, and FreeBSD does not properly implement the "INPUT TYPE=file" functionality, which allows remote attackers to trick a user into uploading an unintended file via vectors involving a "dropped file."

FreeBSD 6.3, 6.4, 7.1, and 7.2 does not enforce permissions on the SIOCSIFINFO_IN6 IOCTL, which allows local users to modify or disable IPv6 network interfaces, as demonstrated by modifying the MTU.

Integer overflow in the pipe_build_write_buffer function (sys/kern/sys_pipe.c) in the direct write optimization feature in the pipe implementation in FreeBSD 7.1 through 7.2 and 6.3 through 6.4 allows local users to bypass virtual-to-physical address lookups and read sensitive information in memory pages via unspecified vectors.

The db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file.

The ktimer feature (sys/kern/kern_time.c) in FreeBSD 7.0, 7.1, and 7.2 allows local users to overwrite arbitrary kernel memory via an out-of-bounds timer value.

sys_term.c in telnetd in FreeBSD 7.0-RELEASE and other 7.x versions deletes dangerous environment variables with a method that was valid only in older FreeBSD distributions, which might allow remote attackers to execute arbitrary code by passing a crafted environment variable from a telnet client, as demonstrated by an LD_PRELOAD value that references a malicious library.

Format string vulnerability in Wireshark 0.99.8 through 1.0.5 on non-Windows platforms allows local users to cause a denial of service (application crash) via format string specifiers in the HOME environment variable.

The arc4random function in the kernel in FreeBSD 6.3 through 7.1 does not have a proper entropy source for a short time period immediately after boot, which makes it easier for attackers to predict the function's return values and conduct certain attacks against the GEOM framework and various network protocols, related to the Yarrow random number generator.

The TCP implementation in (1) Linux, (2) platforms based on BSD Unix, (3) Microsoft Windows, (4) Cisco products, and probably other operating systems allows remote attackers to cause a denial of service (connection queue exhaustion) via multiple vectors that manipulate information in the TCP state table, as demonstrated by sockstress.

The IPv6 Neighbor Discovery Protocol (NDP) implementation in (1) FreeBSD 6.3 through 7.1, (2) OpenBSD 4.2 and 4.3, (3) NetBSD, (4) Force10 FTOS before E7.7.1.1, (5) Juniper JUNOS, and (6) Wind River VxWorks 5.x through 6.4 does not validate the origin of Neighbor Discovery messages, which allows remote attackers to cause a denial of service (loss of connectivity) or read private network traffic via a spoofed message that modifies the Forward Information Base (FIB).

The mld_input function in sys/netinet6/mld6.c in the kernel in NetBSD 4.0, FreeBSD, and KAME, when INET6 is enabled, allows remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ICMPv6 Multicast Listener Discovery (MLD) query with a certain Maximum Response Delay value.

sys/netinet6/icmp6.c in the kernel in FreeBSD 6.3 through 7.1, NetBSD 3.0 through 4.0, and possibly other operating systems does not properly check the proposed new MTU in an ICMPv6 Packet Too Big Message, which allows remote attackers to cause a denial of service (panic) via a crafted Packet Too Big Message.