7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.0004 Low
EPSS
Percentile
5.4%
The CDE Print Viewer program _dtprintinfo _provides a graphical interface display the status of print queues and print jobs.
By using the clipboard to overflow the search field in the Help window of dtprintinfo, a local attacker can execute arbitrary code on the system as root.
There is a buffer overflow in the graphical program used to view print job status in CDE-aware desktop environments. Since dtprintinfo is commonly set to be setuid root, this defect could allow a local attacker to execute arbitrary code as root.
A user with local access can execute arbitrary code with root privileges.
Apply a patch from your vendor.
Sun patches:
108949-04: CDE 1.4: libDtHelp/libDtSvc patch 108950-04: CDE 1.4_x86: litDtHelp/libDtSvc patch
Please see other vendor statements for additional patch information.
Disable dtprintinfo or ‘chmod -s’ the binary.
860296
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: March 09, 2001 Updated: April 30, 2002
Affected
x-reference: case id SSRT1-78U
`
At the time of writing this document, patches(binary kits) are in progress and final testing is expected to begin soon. Compaq will provide notice of the completion/availibility of the patches through AES services (DIA, DSNlink FLASH) and be available from your normal Compaq Support channel.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Updated: August 22, 2001
Affected
Please see _HPSBUX0105-151: Security Vulnerabilities in CDE on HP-UX_
at
<http://www.itresourcecenter.hp.com/>
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Notified: March 01, 2001 Updated: December 19, 2001
Affected
IBM’s AIX operating system is vulnerable.
We have developed official fixes to close this vulnerability.
Customers who run AIX 4.3.x should apply APAR #IY21539.
Customers who run AIX 5.1 should apply APAR #IY20917.
See <http://techsupport.services.ibm.com/rs6k/fixdb.html> to obtain these APARs.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Notified: August 15, 2001 Updated: December 17, 2001
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Updated: March 05, 2001
Affected
The following patches have been made avaialble:
108949-04: CDE 1.4: libDtHelp/libDtSvc patch 108950-04: CDE 1.4_x86: litDtHelp/libDtSvc patch
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Updated: December 20, 2001
Not Affected
UNICOS and UNICOS/mk are not vulnerable to either of these two [issues]. For further information see Cray SPR 721061.
The vendor has not provided us with any further information regarding this vulnerability.
The other issue Cray is responding to is VU#595507.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Notified: March 01, 2001 Updated: December 17, 2001
Unknown
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Notified: October 03, 2001 Updated: December 17, 2001
Unknown
Xi Graphics is investigating this report and will provide more information when it is available.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23860296 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
The CERT/CC thanks Kevin Kotas of Ernst & Young’s eSecurityOnline for reporting this vulnerability to us and to affected vendors.
This document was written by Jeffrey S. Havrilla.
CVE IDs: | CVE-2001-0551 |
---|---|
Severity Metric: | 6.75 Date Public: |