Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0910250218410.23549@forced.attrition.org>
Date: Sun, 25 Oct 2009 02:21:51 +0000 (UTC)
From: security curmudgeon <jericho@...rition.org>
To: oss-security@...ts.openwall.com
Subject: Re:  CVE-2009-3239 is a duplicate of CVE-2009-2139
 and CVE-2009-2140


: CVE-2009-3239 appears to be a duplicate of CVE-2009-2139 and 
: CVE-2009-2140, and should therefore be rejected.

CVE may abstract on these:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3239

Buffer overflow in the EMF parser implementation in OpenOffice.org (OOo) 
in SUSE openSUSE 10.3 through 11.1, Novell Linux Desktop (NLD) 9, and 
SUSE Linux Enterprise (SLE) 10 and 11 has unknown impact and remote 
attack vectors, related to enhwmf.cxx and emfplus.cxx.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2139

Heap-based buffer overflow in svtools/source/filter.vcl/wmf/enhwmf.cxx in 
Go-oo 2.x and 3.x before 3.0.1, previously named ooo-build and related to 
OpenOffice.org (OOo), allows remote attackers to execute arbitrary code 
via a crafted EMF file, a similar issue to CVE-2008-2238.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-2140

Multiple heap-based buffer overflows in 
cppcanvas/source/mtfrenderer/emfplus.cxx in Go-oo 2.x and 3.x before 
3.0.1, previously named ooo-build and related to OpenOffice.org (OOo), 
allow remote attackers to execute arbitrary code via a crafted EMF+ file, 
a similar issue to CVE-2008-2238.


1. 2139 and 2140 were created next to each other. That is usually a strong 
indication that CVE chose to abstract between two issues.

2. 3239 is in OOo, while 2139/2140 are in Go-oo, which was "previously .. 
related to OOo". If Go-oo represents a code fork, there are two products 
in question now. While CVE will merge products on similar issues, I don't 
believe it is set in stone.

3. I may be totally off and they may be considered dupes. =)  OSVDB is 
keeping them split for now, given the difference in products.

Brian

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.