Qaaz

**Name of the Vulnerable Software and Affected Versions** ReliantHA version 1.1.4 in SCO UnixWare 7.1.4 **Description** The issue allows local users to gain root privileges by modifying the `RELIANT PATH` environment variable to point to a malicious `bin/hvenv` program. This is due to an untrusted search path vulnerability in `hvdisp` and `rcvm` components. **Recommendations** For ReliantHA version 1.1.4 in SCO UnixWare 7.1.4, consider restricting access to the `RELIANT PATH` environment variable to prevent modification by local users. Additionally, monitor and restrict execution of the `bin/hvenv` program to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ReliantHA version 1.1.4 in SCO UnixWare 7.1.4 **Description** The issue allows local users to gain root privileges through a crafted -d argument that contains .. (dot dot) sequences pointing to a directory with a file whose name includes shell metacharacters. **Recommendations** For ReliantHA version 1.1.4 in SCO UnixWare 7.1.4, consider restricting access to the merge mcd function until a patch is available, and avoid using arguments that contain .. sequences or shell metacharacters. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SCO UnixWare version 7.1.4 before p534589 **Description** A directory traversal issue exists, allowing local users to create or append to arbitrary files. This is achieved by using ".." sequences in an unspecified environment variable, likely `PKGINST`, within the `pkgadd` environment. **Recommendations** For SCO UnixWare version 7.1.4 before p534589, consider restricting access to the `pkgadd` command until a patch is available, specifically by limiting the ability to manipulate the environment variable that is being exploited.

The vmsplice to pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.