Re: CORE-2008-0126: Multiple vulnerabilities in iCal

["Steven M. Christey" <coley () linus mitre org>]

On Tue, 27 May 2008, security curmudgeon wrote:

> No mention of CVE-2008-1035 in the [CORE] advisory other than the header
> CVE name reference. BID seems to have split the three vulnerabilities,
> but given two of them the same CVE. CVE does not have descriptions open
> yet.

The descriptions are below - for CVE-2008-2006, we merged on the rough
criteria of "insufficient validation of a length field".

> Could someone from CORE, SecurityFocus or CVE confirm if CVE-2008-1035 is
> supposed to be in the mix, and if CVE-2008-2006 does correspond to two
> of the vulnerabilities listed?

CVE-2008-2006 intentionally corresponds to both.

I am not sure where CORE got CVE-2008-1035 from - that number was part of
a pool of numbers that were allocated to Apple, for them to assign
to issues in Apple products (this makes them effectively a CNA; see
http://cve.mitre.org/cve/cna.html for more info).

CORE obtained CVE-2008-2006 and CVE-2008-2007 directly from MITRE.  It's
most likely that during CORE's collaboration with Apple, Apple might have
given them CVE-2008-1035 from Apple's own pool, to cover one or more of
those issues.  This type of "reservation duplicate" happens periodically
when both researcher/coordinator and vendor use CVEs.  BUT - this is just
a guess, either CORE or Apple would need to provide a more concrete
answer.  We are currently keeping CVE-2008-1035 blank until there's more
clarity.

- Steve

======================================================
Name: CVE-2008-2006
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2006
Reference: BUGTRAQ:20080521 CORE-2008-0126: Multiple vulnerabilities in iCal
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/492414/100/0/threaded
Reference: MISC:http://www.coresecurity.com/?action=item&id=2219
Reference: BID:28632
Reference: URL:http://www.securityfocus.com/bid/28632
Reference: BID:28629
Reference: URL:http://www.securityfocus.com/bid/28629
Reference: FRSIRT:ADV-2008-1601
Reference: URL:http://www.frsirt.com/english/advisories/2008/1601

Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and
user-assisted remote attackers, to cause a denial of service (NULL
pointer dereference and application crash) or possibly execute
arbitrary code via a .ics file containing (1) a large 16-bit integer
on a TRIGGER line, or (2) a large integer in a COUNT field on an RRULE
line.  NOTE: this might be a duplicate of CVE-2008-1035.


======================================================
Name: CVE-2008-2007
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2007
Reference: BUGTRAQ:20080521 CORE-2008-0126: Multiple vulnerabilities in iCal
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/492414/100/0/threaded
Reference: MISC:http://www.coresecurity.com/?action=item&id=2219
Reference: BID:28633
Reference: URL:http://www.securityfocus.com/bid/28633
Reference: FRSIRT:ADV-2008-1601
Reference: URL:http://www.frsirt.com/english/advisories/2008/1601

Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and
user-assisted remote attackers, to trigger memory corruption or
possibly execute arbitrary code via an "ATTACH;VALUE=URI:S=osumi" line
in a .ics file, which triggers a "resource liberation" bug.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/