A security vulnerability in the way the rcp(1) command invokes helper applications may allow a local unprivileged user (or a remote user in the case of shared filesystems) to create files with specially crafted file names which could lead to the execution of arbitrary commands with the privileges of a local user when that local user executes the rcp(1) command on the specially crafted file names.

Note: The scp(1) utility is also affected by this issue which is described in the following documents:

CVE-2006-0225 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225

Sun Alert 102961 at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patches 110670-04 and 114669-04
• Solaris 9 without patch 114716-05
• Solaris 10 without patch 121132-03

x86 Platform

• Solaris 8 without patches 110671-04 and 114670-04
• Solaris 9 without patch 114717-05
• Solaris 10 without patch 125794-02

There are no predictable symptoms that would indicate the described issue has been exploited to execute arbitrary commands.

This issue will only occur if the rcp(1) command is executed on files that have specially crafted file names. Therefore, it may be possible to work around this issue by avoiding the use of the rcp(1) command on untrusted file names, for example, in directories that are writable by untrusted users.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patches 110670-04 and 114669-04 or later
• Solaris 9 with patch 114716-05 or later
• Solaris 10 with patch 121132-03 or later

x86 Platform

• Solaris 8 with patches 110671-04 and 114670-04 or later
• Solaris 9 with patch 114717-05 or later
• Solaris 10 with patch 125794-02 or later

This solution has no attachment