A race condition vulnerability in handling recursive directory deletion via the rm(1) command with either the "-r" or "-R" option may lead to deletion of files or directories external to the argument directory hierarchy. An unprivileged user may exploit this vulnerability by creating a specially crafted directory hierarchy which, when deleted by a privileged user using the rm(1) command, may lead to deletion of system files and directories causing a Denial of Service (DoS) condition.

Sun acknowledges with thanks, Jim Meyering <jim@meyering.net>, for bringing this issue to our attention.

Additional information regarding this issue can be found at:

• CVE-2007-0895 at:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0895
  

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 124969-01
• Solaris 9 without patch 123372-02
• Solaris 10 without patch 124244-01

x86 Platform

• Solaris 8 without patch 124970-01
• Solaris 9 without patch 123373-02
• Solaris 10 without patch 124245-01

There are no predictable symptoms that would indicate the issue has been exploited.

There is no workaround. Please see the "Resolution" section below.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 124969-01 or later
• Solaris 9 with patch 123372-02 or later
• Solaris 10 with patch 124244-01 or later

x86 Platform

• Solaris 8 with patch 124970-01 or later
• Solaris 9 with patch 123373-02 or later
• Solaris 10 with patch 124245-01 or later

• Updated Impact section

This solution has no attachment