A difficult to exploit stack-based buffer overflow in the _DtCreateDtDirs() function in the Common Desktop Environment version distributed with Oracle Solaris 10 1/13 (Update 11) and earlier may allow local users to corrupt memory and potentially execute arbitrary code in order to escalate privileges via a long X11 display name. The vulnerable function is located in the libDtSvc library and can be reached by executing the setuid program dtsession.
Note that Oracle Solaris CDE is based on the original CDE 1.x train, which is different from the CDE 2.x codebase that was later open sourced. In detail, the open source CDE is not affected by this specific vulnerability, but following our report some additional work has been done by its maintainers to properly check bounds in the libDtSvc library. Most notably, insecure calls to strncat() that caused buffer overflows have been fixed.