oss-sec mailing list archives
Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF)
From: "Steven M. Christey" <coley () linus mitre org>
Date: Fri, 6 Nov 2009 08:43:44 -0500 (EST)
On Wed, 28 Oct 2009, Mark J Cox wrote:
I'm not sure if a CVE name has been requested for this issue; I can't see one anywhere. http://www.ocert.org/advisories/ocert-2009-013.html It's for the Evolution TNEF/yTNEF issues disclosed early last month. Could we have a CVE name assigned for this?I checked and oCERT don't have a name, so use CVE-2009-3721 for this.
This advisory covers both buffer overflows and path traversal in the same data field. While these may stem from "input validation" (as many issues do), we would typically assign two separate CVE names, since the fix for a buffer overflow would not necessarily fix the path traversal (or vice versa). Unless there's some deeper reason for using a single CVE, I think we should assign separate CVEs here. If you agree Mark, we can use CVE-2009-3721 for the overflow, and you could assign a new CVE for the traversal. - Steve
Current thread:
- CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Vincent Danen (Oct 27)
- Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Mark J Cox (Oct 28)
- Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Steven M. Christey (Nov 06)
- Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Josh Bressers (Nov 06)
- Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Steven M. Christey (Nov 06)
- Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Mark J Cox (Oct 28)