oss-security - Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF)

Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Fri, 6 Nov 2009 08:43:44 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: mjc@...hat.com
cc: oss-security@...ts.openwall.com
Subject: Re: CVE request for oCERT advisory 2009-013
 (yTNEF/Evolution TNEF)

On Wed, 28 Oct 2009, Mark J Cox wrote:

> > I'm not sure if a CVE name has been requested for this issue; I can't
> > see one anywhere.
> >
> > http://www.ocert.org/advisories/ocert-2009-013.html
> >
> > It's for the Evolution TNEF/yTNEF issues disclosed early last month.
> > Could we have a CVE name assigned for this?
>
> I checked and oCERT don't have a name, so use CVE-2009-3721 for this.

This advisory covers both buffer overflows and path traversal in the same
data field.  While these may stem from "input validation" (as many issues
do), we would typically assign two separate CVE names, since the fix for a
buffer overflow would not necessarily fix the path traversal (or vice
versa).

Unless there's some deeper reason for using a single CVE, I think we
should assign separate CVEs here.  If you agree Mark, we can use
CVE-2009-3721 for the overflow, and you could assign a new CVE for the
traversal.

- Steve

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.