oss-sec mailing list archives
Re: CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140
From: security curmudgeon <jericho () attrition org>
Date: Sun, 25 Oct 2009 02:21:51 +0000 (UTC)
: CVE-2009-3239 appears to be a duplicate of CVE-2009-2139 and : CVE-2009-2140, and should therefore be rejected. CVE may abstract on these: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3239 Buffer overflow in the EMF parser implementation in OpenOffice.org (OOo) in SUSE openSUSE 10.3 through 11.1, Novell Linux Desktop (NLD) 9, and SUSE Linux Enterprise (SLE) 10 and 11 has unknown impact and remote attack vectors, related to enhwmf.cxx and emfplus.cxx. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2139 Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx in Go-oo 2.x and 3.x before 3.0.1, previously named ooo-build and related to OpenOffice.org (OOo), allows remote attackers to execute arbitrary code via a crafted EMF file, a similar issue to CVE-2008-2238. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2140 Multiple heap-based buffer overflows in cppcanvas/source/mtfrenderer/emfplus.cxx in Go-oo 2.x and 3.x before 3.0.1, previously named ooo-build and related to OpenOffice.org (OOo), allow remote attackers to execute arbitrary code via a crafted EMF+ file, a similar issue to CVE-2008-2238. 1. 2139 and 2140 were created next to each other. That is usually a strong indication that CVE chose to abstract between two issues. 2. 3239 is in OOo, while 2139/2140 are in Go-oo, which was "previously .. related to OOo". If Go-oo represents a code fork, there are two products in question now. While CVE will merge products on similar issues, I don't believe it is set in stone. 3. I may be totally off and they may be considered dupes. =) OSVDB is keeping them split for now, given the difference in products. Brian
Current thread:
- CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140 Raphael Geissert (Oct 24)
- Re: CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140 security curmudgeon (Oct 24)
- Re: CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140 Michael Gilbert (Oct 26)
- Re: CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140 Tomas Hoger (Oct 25)
- Re: CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140 Raphael Geissert (Oct 27)
- Re: CVE-2009-3239 is a duplicate of CVE-2009-2139 and CVE-2009-2140 security curmudgeon (Oct 24)