oss-sec mailing list archives

Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF)

From: Josh Bressers <bressers () redhat com>
Date: Fri, 6 Nov 2009 14:53:15 -0500 (EST)

----- "Steven M. Christey" <coley () linus mitre org> wrote:

On Wed, 28 Oct 2009, Mark J Cox wrote:


I checked and oCERT don't have a name, so use CVE-2009-3721 for this.


This advisory covers both buffer overflows and path traversal in the same
data field.  While these may stem from "input validation" (as many issues
do), we would typically assign two separate CVE names, since the fix for a
buffer overflow would not necessarily fix the path traversal (or vice
versa).

Unless there's some deeper reason for using a single CVE, I think we should
assign separate CVEs here.  If you agree Mark, we can use CVE-2009-3721 for
the overflow, and you could assign a new CVE for the traversal.


Let's use CVE-2009-3887 for the traversal then.

Thanks.

-- 
    JB

Current thread:

CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Vincent Danen (Oct 27)
- Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Mark J Cox (Oct 28)
  - Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Steven M. Christey (Nov 06)
    - Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) Josh Bressers (Nov 06)