[FINAL] ACCEPT 14 candidates from RECENT-02 cluster

To: cve-editorial-board-list@lists.mitre.org
Subject: [FINAL] ACCEPT 14 candidates from RECENT-02 cluster
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 3 Jan 2000 21:37:28 -0500 (EST)
Delivery-Date: Mon Jan 3 21:55:45 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0972	CVE-1999-0972
CAN-1999-0973	CVE-1999-0973
CAN-1999-0974	CVE-1999-0974
CAN-1999-0975	CVE-1999-0975
CAN-1999-0977	CVE-1999-0977
CAN-1999-0978	CVE-1999-0978
CAN-1999-0979	CVE-1999-0979
CAN-1999-0980	CVE-1999-0980
CAN-1999-0981	CVE-1999-0981
CAN-1999-0982	CVE-1999-0982
CAN-1999-0986	CVE-1999-0986
CAN-1999-0987	CVE-1999-0987
CAN-1999-0989	CVE-1999-0989
CAN-1999-0991	CVE-1999-0991


=================================
Candidate: CAN-1999-0972
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991209 xsw 1.24 remote buffer overflow
Reference: BID:863

Buffer overflow in Xshipwars xsw program.

INFERRED VOTE: CAN-1999-0972 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole
   NOOP(1) Christey

COMMENTS:
 Cole> The buffer overflow is in the server and only in certain versions.
 Christey> Version numbers are not necessary to distinguish this
 Christey> from other candidates/entries.


=================================
Candidate: CAN-1999-0973
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991206 [w00giving #8] Solaris 2.7's snoop
Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd)
Reference: BID:858

Buffer overflow in Solaris snoop program allows remote attackers to
gain root privileges via a long domain name when snoop is running in
verbose mode.

INFERRED VOTE: CAN-1999-0973 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0974
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: ISS:19991209 Buffer Overflow in Solaris Snoop
Reference: SUN:00190
Reference: BUGTRAQ:19991209 Clarification needed on the snoop vuln(s) (fwd)
Reference: BID:864

Buffer overflow in Solaris snoop allows remote attackers to gain root
privileges via GETQUOTA requests to the rpc.rquotad service.

INFERRED VOTE: CAN-1999-0974 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0975
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991207 Local user can fool another to run executable. .CNT/.GID/.HLP M$WINNT
Reference: BID:868

The Windows help system can allow a local user to execute commands as
another user by editing a table of contents metafile with a .CNT
extension and modifying the topic action to include the commands to be
executed when the .hlp file is accessed.

INFERRED VOTE: CAN-1999-0975 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0977
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: SF-INCIDENTS:19991209 sadmind
Reference: BUGTRAQ:19991210 Solaris sadmind Buffer Overflow Vulnerability
Reference: CERT:CA-99-16
Reference: BID:866

Buffer overflow in Solaris sadmind allows remote attackers to gain
root privileges using a NETMGT_PROC_SERVICE request.

INFERRED VOTE: CAN-1999-0977 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0978
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: DEBIAN:19991209
Reference: BID:867

htdig allows remote attackers to execute commands via filenames with
shell metacharacters.

Modifications:
  DESC exclude Debian

INFERRED VOTE: CAN-1999-0978 RECAST (1 recast, 2 accept, 0 review)

VOTES:
   MODIFY(2) Cole, Stracener
   NOOP(1) Christey
   RECAST(1) Blake

COMMENTS:
 Cole> This occurs when it tries to handle non HTML files.
 Blake> if htdig is not unique to Debian (not sure).
 Stracener> This is a multi-platform vulnerability, at least in theory (given that Htdig
 Stracener> can run on platforms other than Debian). We might get more milage out of
 Stracener> this CAN by removing the word "Debian" from the description.
 Christey> The Debian advisory and associated patches show that the
 Christey> problem is not Debian-specific, so I removed Debian from
 Christey> the description as recommended.  The confusion arose because
 Christey> Debian appears to be the developer of this package.


=================================
Candidate: CAN-1999-0979
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991209 Fundamental flaw in UnixWare 7 security
Reference: BUGTRAQ:19991215 Recent postings about SCO UnixWare 7
Reference: BID:869

The SCO UnixWare privileged process system allows local users to gain
root privileges by using a debugger such as gdb to insert traps into
_init before the privileged process is executed.

INFERRED VOTE: CAN-1999-0979 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0980
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: MS:MS99-055
Reference: MSKB:Q246045

Windows NT Service Control Manager (SCM) allows remote attackers to
cause a denial of service via a malformed argument in a resource
enumeration request.

INFERRED VOTE: CAN-1999-0980 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0981
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: MS:MS99-050
Reference: MSKB:Q246094

Internet Explorer 5.01 and earlier allows a remote attacker to create
a reference to a client window and use a server-side redirect to
access local files via that window, aka "Server-side Page Reference
Redirect."

INFERRED VOTE: CAN-1999-0981 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0982
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: unknown
Reference: BUGTRAQ:19991206 Solaris WBEM 1.0: plaintext password stored in world readable file

The Sun Web-Based Enterprise Management (WBEM) installation script
stores a password in plaintext in a world readable file.

INFERRED VOTE: CAN-1999-0982 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0986
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: BUGTRAQ:19991209 Big problem on 2.0.x?
Reference: BID:870

The ping command in Linux 2.0.3x allows local users to cause a denial
of service by sending large packets with the -R (record route)
option.

INFERRED VOTE: CAN-1999-0986 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0987
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: NTBUGTRAQ:19991118 NT System Policy for Win95 Not downloaded when adding a space after domain name
Reference: MSKB:Q237923

Windows NT does not properly download a system policy if the domain
user logs into the domain with a space at the end of the domain name.

INFERRED VOTE: CAN-1999-0987 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0989
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: NTBUGTRAQ:19991205 new IE5 remote exploit
Reference: BUGTRAQ:19991205 new IE5 remote exploit
Reference: BID:861

Buffer overflow in Internet Explorer 5 directshow filter (MSDXM.OCX)
allows remote attackers to execute commands via the vnd.ms.radio
protocol.

INFERRED VOTE: CAN-1999-0989 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0991
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991214
Category: SF
Reference: NTBUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability
Reference: BUGTRAQ:19991206 Remote DoS Attack in GoodTech Telnet Server NT v2.2.1 Vulnerability
Reference: BID:862

Buffer overflow in GoodTech Telnet Server NT allows remote users to
cause a denial of service via a long login name.

INFERRED VOTE: CAN-1999-0991 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener
Prev by Date: [FINAL] ACCEPT 23 candidates from CERT2 cluster
Next by Date: [FINAL] ACCEPT 22 candidates from LINUX cluster
Prev by thread: [FINAL] ACCEPT 23 candidates from CERT2 cluster
Next by thread: [FINAL] ACCEPT 22 candidates from LINUX cluster
Index(es):
- Date
- Thread