IDEFENSE labs claims that a locally exploitable buffer overflow exists in the ld.so.1 dynamic runtime linker in Sun's Solaris operating system. "The LD_PRELOAD variable can be passed a large value, which will cause the runtime linker to overflow a stack based buffer. The overflow occurs on a non-executable stack making command execution more difficult than normal, but not impossible."
Vulnerable versions include: Solaris 2.6, Solaris 7, Solaris 8, and Solaris 9.
View the advisory at http://www.idefense.com/advisory/07.29.03.txt and download the patch at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680