Date: Fri, 6 Nov 2009 08:43:44 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: mjc@...hat.com cc: oss-security@...ts.openwall.com Subject: Re: CVE request for oCERT advisory 2009-013 (yTNEF/Evolution TNEF) On Wed, 28 Oct 2009, Mark J Cox wrote: > > I'm not sure if a CVE name has been requested for this issue; I can't > > see one anywhere. > > > > http://www.ocert.org/advisories/ocert-2009-013.html > > > > It's for the Evolution TNEF/yTNEF issues disclosed early last month. > > Could we have a CVE name assigned for this? > > I checked and oCERT don't have a name, so use CVE-2009-3721 for this. This advisory covers both buffer overflows and path traversal in the same data field. While these may stem from "input validation" (as many issues do), we would typically assign two separate CVE names, since the fix for a buffer overflow would not necessarily fix the path traversal (or vice versa). Unless there's some deeper reason for using a single CVE, I think we should assign separate CVEs here. If you agree Mark, we can use CVE-2009-3721 for the overflow, and you could assign a new CVE for the traversal. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.