COMMAND

    dtaction

SYSTEMS AFFECTED

    SunOS 5.4, 5.5, 5.5.1, 5.6 (sparc and x86)

PROBLEM

    The dtaction utility allows  applications or shell scripts,  which
    are otherwise not connected into the CDE development  environment,
    to invoke action requests. Due to insufficient bounds checking  on
    arguments supplied to  dtaction, it is  possible to overwrite  the
    internal stack  space of  dtaction.   As dtaction  is setuid root,
    this vulnerability may be exploited  to gain root access.   As for
    more close info, you may  wish to check 'dtaction' in  AIX section
    or  'X  Library'  in  mUNIXes  section  on  Security Bugware (this
    page).

SOLUTION

    The  following  patches  are  available  in  relation to the above
    problem:

        CDE version         Patch ID
        -----------         --------
        1.2                 105669-02
        1.2_x86             105670-02
        1.02                105716-02
        1.02_x86            105717-02
        1.01                105714-02
        1.01_x86            105715-02