[VOTES] Vote details for recent clusters with advisories

To: cve-editorial-board-list@lists.mitre.org
Subject: [VOTES] Vote details for recent clusters with advisories
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Wed, 12 Jan 2000 19:57:01 -0500 (EST)
Delivery-Date: Wed Jan 12 19:59:42 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
This LEGACY-RECENT-ADVISORIES meta-cluster includes vote details for
clusters proposed after October 1999.  All of these candidates have
formal advisories associated with them.

UNIX-VEN
LINUX
CERT2
MS

Also, note that in the ALL-NEW meta-cluster containing the RECENT-XX
clusters, I inadvertently included candidates that went to final
decision.  It was bound to happen sometime.  Future meta-clusters will
not include such candidates.

- Steve


--------------------- CLUSTER UNIX-VEN ---------------------

UNIX-VEN (25 candidates)
--------------------
Proposed: 12/13
Scheduled Proposed: 12/13
Scheduled Interim Decision: 12/27
Scheduled Final Decision: 12/31

Various problems acknowledged by Unix vendors


Voters:
  Frech MODIFY(3) REJECT(1) REVIEWING(4)
  Christey NOOP(1) REJECT(1) REVIEWING(1)
  Cole ACCEPT(6) NOOP(2)
  Prosser ACCEPT(5) MODIFY(2) REVIEWING(1)
  Stracener ACCEPT(5) MODIFY(3)
  Blake ACCEPT(8)


<FINAL> --> 17
<INTERIM> --> 1
<PROPOSED> --> 7
MODIFY --> 2
REJECT --> 1
REVIEWING --> 5

=================================
Candidate: CAN-1999-0684
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: HP:HPSBUX9904-097

Denial of service in Sendmail 8.8.6 in HPUX.

INFERRED ACTION: CAN-1999-0684 SMC_REJECT (2 reject, 4 accept, 0 review)

Current Votes:
   ACCEPT(2) Cole, Blake
   MODIFY(2) Stracener, Prosser
   REJECT(2) Frech, Christey

Comments:
 Stracener> Add Ref: CIAC: J-040
 Frech> Without further information and/or references, this issue looks like an
 Frech> ambiguous version of CVE-1999-0478: Denial of service in HP-UX sendmail
 Frech> 8.8.6 related to accepting connections.
 Prosser> Might change description to indicate DoS caused by multiple connections
 Christey> Andre's right.  This is a duplicate of CAN-1999-0684.


=================================
Candidate: CAN-1999-0694
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: CIAC:J-055
Reference: IBM:ERS-SVA-E01-1999:002.1
Reference: XF:aix-ptrace-halt

Denial of service in AIX ptrace system call allows local users to
crash the system.

Modifications:
  ADDREF XF:aix-ptrace-halt
  DELREF BUGTRAQ:19990713

INFERRED ACTION: CAN-1999-0694 ACCEPT (4 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(3) Blake, Stracener, Prosser
   MODIFY(1) Frech
   NOOP(2) Cole, Christey

Comments:
 Frech> XF:aix-ptrace-halt
 Frech> Please add title to the BugTraq reference, since it was not evident to which
 Frech> message you were referring.
 Christey> I couldn't find the Bugtraq reference either, which is
 Christey> especially odd because the IBM advisory says that the
 Christey> problem was discussed in Bugtraq.  Bugtraq reference deleted.


=================================
Candidate: CAN-1999-0767
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: SUN:00189

Buffer overflow in Solaris libc, ufsrestore, and rcp via LC_MESSAGES
environmental variable.

INFERRED ACTION: CAN-1999-0767 SMC_REVIEW (4 accept, 2 review)

Current Votes:
   ACCEPT(2) Cole, Blake
   MODIFY(2) Stracener, Frech
   REVIEWING(2) Prosser, Christey

Comments:
 Stracener> Add Ref: CIAC: J-069
 Frech> XF:sun-libc-lcmessages
 Prosser> BID 268 is an additional reference for this one as it has info on the Sun
 Prosser> vulnerability.  However, BID 268 also includes AIX in this vulnerability and
 Prosser> refs APARS issued to fix a vulnerability in various 'nixs with the Natural
 Prosser> Language Service environmental variables NSLPATH and PATH_LOCALE depending
 Prosser> on the 'nix, ref CERT CA-97.10, CVE-1999-0041.  However, Georgi Guninski
 Prosser> reported a BO in AIX with LC_MESSAGES + mount, also refed in BID 268, so it
 Prosser> is possible the AIX APARs fix an earlier, similar vulnerability to the Sun
 Prosser> BO in LC_MESSAGES.   This should probably be considered under a different
 Prosser> CAN.  Any ideas?
 Christey> Given that the buffer overflows in CVE-1999-0041 are NLSPATH
 Christey> and PATH_LOCALE, I'd say that's good evidence that this is not
 Christey> the same problem.  But a buffer overflow in libc in
 Christey> LC_MESSAGES... We must ask if these are basically the same
 Christey> codebase.


=================================
Candidate: CAN-1999-0783
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: FreeBSD:FreeBSD-SA-98:05
Reference: CIAC:I-057

FreeBSD allows local users to conduct a denial of service by creating
a hard link from a device special file to a file on an NFS file
system.

INFERRED ACTION: CAN-1999-0783 ACCEPT_REV (4 accept, 3 ack, 1 review)

Current Votes:
   ACCEPT(4) Cole, Blake, Stracener, Prosser
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0789
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ: Remote bufferoverflow exploit for ftpd from AIX 4.3.2 running on an RS6000
Reference: IBM:ERS-SVA-E01-1

Buffer overflow in AIX ftpd in the libc library.

INFERRED ACTION: CAN-1999-0789 ACCEPT_REV (4 accept, 1 ack, 1 review)

Current Votes:
   ACCEPT(2) Cole, Blake
   MODIFY(2) Stracener, Prosser
   REVIEWING(1) Frech

Comments:
 Stracener> Add Ref: CIAC: J-072
 Frech> On BUGTRAQ reference, add 19990927 as date
 Frech> On IBM reference, correctly cite as ERS-SVA-E01-1999:004.1
 Prosser> ref should read ERS-SVA-E01-1999:004.1
 Prosser> add reference  BID 679


=================================
Candidate: CAN-1999-0796
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: FREEBSD:SA-98.03

FreeBSD T/TCP Extensions for Transactions can be subjected to spoofing
attacks.

INFERRED ACTION: CAN-1999-0796 ACCEPT_REV (3 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(3) Blake, Stracener, Prosser
   NOOP(1) Cole
   REVIEWING(1) Frech


=================================
Candidate: CAN-1999-0911
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990827 ProFTPD
Reference: BUGTRAQ:19990907 ProFTP-1.2.0pre4 buffer overflow -- once more
Reference: FREEBSD:FreeBSD-SA-99:03
Reference: BID:612

Buffer overflow in ProFTPD, wu-ftpd, and beroftpd allows remote
attackers to gain root access via a series of MKD and CWD commands
that create nested directories.

CONTENT-DECISIONS: SF-CODEBASE

INFERRED ACTION: CAN-1999-0911 ACCEPT (5 accept, 2 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Cole, Blake, Stracener, Prosser
   MODIFY(1) Frech

Comments:
 Frech> XF:proftpd-long-dir-bo
 Frech> (I already passed this to you during a BACKMAP message.)


=================================
Candidate: CAN-1999-0964
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: FREEBSD:FreeBSD-SA-97:01

Buffer overflow in FreeBSD setlocale in the libc module.

INFERRED ACTION: CAN-1999-0964 ACCEPT_REV (4 accept, 2 ack, 1 review)

Current Votes:
   ACCEPT(4) Cole, Blake, Stracener, Prosser
   REVIEWING(1) Frech




--------------------- CLUSTER LINUX ---------------------

LINUX (30 candidates)
--------------------
Proposed: 12/13
Scheduled Proposed: 12/13
Scheduled Interim Decision: 12/27
Scheduled Final Decision: 12/31

Linux problems acknowledged by Linux vendors


Voters:
  Christey MODIFY(2) NOOP(1) REVIEWING(1)
  Cole ACCEPT(2) MODIFY(3) NOOP(3)
  Stracener ACCEPT(4) MODIFY(3) REJECT(1)
  Blake ACCEPT(5) MODIFY(1) REJECT(2)


<FINAL> --> 22
<INTERIM> --> 5
<PROPOSED> --> 3
ACCEPT --> 1
MODIFY --> 4
REJECT --> 2
REVIEWING --> 1

=================================
Candidate: CAN-1999-0708
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000106-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
Reference: BID:651

Buffer overflow in cfingerd allows local users to gain root privileges
via a long GECOS field.

Modifications:
  DELREF DEBIAN:19990806
  CHANGEREF BUGTRAQ BUGTRAQ:19990921 BP9909-00: cfingerd local buffer overflow
  DESC Add GECOS qualifier

INFERRED ACTION: CAN-1999-0708 ACCEPT (3 accept, 1 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole
   NOOP(1) Christey

Comments:
 Cole> This is to general.  I would add:  By setting a carefully designed GECOS
 Cole> field it is possible to execute arbitrary code with root (or nobody )
 Cole> privileges
 Christey> There is no associated DEBIAN reference here, as
 Christey> DEBIAN:19990806 refers to an older remote-only buffer overflow
 Christey> in the username, not GECOS.  (BID:512 also discusses that
 Christey> remote problem, though it may not be exploitable).


=================================
Candidate: CAN-1999-0712
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: CALDERA:CSSA-1999:009
Reference: XF:linux-coas

A vulnerability in Caldera Open Administration System (COAS) allows
the /etc/shadow password file to be made world-readable.

INFERRED ACTION: CAN-1999-0712 SMC_REVIEW (3 accept, 1 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   MODIFY(1) Blake
   REVIEWING(1) Christey

Comments:
 Blake> This obscurely-written advisory seems to state that COAS will make the
 Blake> file world-readable, not that it allows the user to make it so.  I hardly
 Blake> think that allowing the user to turn off security is a vulnerability.
 Christey> It's difficult to write the description based on what's in
 Christey> the advisory.  If COAS inadvertently changes permissions
 Christey> without user confirmation, then it should be ACCEPTed with
 Christey> appropriate modification to the description.


=================================
Candidate: CAN-1999-0742
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: DEBIAN:19990623
Reference: BID:480

The Debian mailman package uses weak authentication, which allows
attackers to gain privileges.

Modifications:
  ADDREF BID:480

INFERRED ACTION: CAN-1999-0742 ACCEPT_ACK (2 accept, 2 ack, 0 review)

Current Votes:
   ACCEPT(2) Blake, Stracener
   NOOP(1) Cole


=================================
Candidate: CAN-1999-0743
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:trn-symlinks
Reference: DEBIAN:19990823c
Reference: SUSE:19990824 Security hole in trn

Trn allows local users to overwrite other users' files via symlinks.

Modifications:
  ADDREF SUSE:19990824 Security hole in trn

INFERRED ACTION: CAN-1999-0743 ACCEPT_ACK (2 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Stracener
   NOOP(1) Cole

Comments:
 Stracener> Add Ref: SUSE: Security hole in trn 24.08.99


=================================
Candidate: CAN-1999-0748
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: REDHAT:RHSA-1999:017-01

Buffer overflows in Red Hat net-tools package.

INFERRED ACTION: CAN-1999-0748 REJECT (1 reject, 2 accept, 0 review)

Current Votes:
   ACCEPT(2) Cole, Stracener
   REJECT(1) Blake

Comments:
 Blake> RHSA-1999:017-01 describes "potential security problem fixed" in the
 Blake> absence of knowing whether or not the problems actually existed, I don't
 Blake> think we have an entry here.


=================================
Candidate: CAN-1999-0768
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BID:602
Reference: REDHAT:RHSA-1999:030-02
Reference: SUSE:19990829 Security hole in cron

Buffer overflow in Vixie Cron on Red Hat systems via the MAILTO
environmental variable.

INFERRED ACTION: CAN-1999-0768 ACCEPT (3 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(3) Cole, Christey, Stracener

Comments:
 Cole> I would be a little clear, By utilizing the MAILTO environment variable, a
 Cole> buffer can be overflown in the cron_popen() function, allowing an attacker
 Cole> to execute arbitrary code.
 Christey> Although the descriptions don't reflect it, CAN-1999-0872 and
 Christey> CAN-1999-0768 are different.  One has to do with a buffer
 Christey> overflow; the other deals with a user supplying their own
 Christey> Sendmail config file.  BID:602 and BID:611 show this.
 Stracener> Add Ref: SUSE: Security hole in cron  29.08.1999:


=================================
Candidate: CAN-1999-0811
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: REDHAT:RHSA-1999:022-02
Reference: CALDERA:CSSA-1999:018.0
Reference: SUSE:19990816 Security hole in Samba
Reference: DEBIAN:19990731 Samba
Reference: XF:samba-message-bo
Reference: BID:536

Buffer overflow in Samba smbd program via a malformed message
command.

Modifications:
  DESC add details
  ADDREF CALDERA:CSSA-1999:018.0
  ADDREF SUSE:19990816 Security hole in Samba
  ADDREF DEBIAN:19990731 Samba
  ADDREF XF:samba-message-bo
  ADDREF BID:536

INFERRED ACTION: CAN-1999-0811 ACCEPT_ACK (2 accept, 5 ack, 0 review)

Current Votes:
   ACCEPT(1) Blake
   MODIFY(1) Stracener
   NOOP(1) Cole

Comments:
 Stracener> Add Ref: CALDERA: CSSA-1999:018.0
 Stracener> Add Ref: DEBIAN: Samba [31-Jul-1999]
 Stracener> Add Ref: SUSE: Security hole in Samba 16.08.1999


=================================
Candidate: CAN-1999-0872
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BID:759
Reference: BID:611
Reference: REDHAT:RHSA-1999:030-02

Buffer overflow in Vixie cron allows local users to gain root access
via a long MAILTO environment variable in a crontab file.

INFERRED ACTION: CAN-1999-0872 REJECT (2 reject, 1 accept, 0 review)

Current Votes:
   MODIFY(2) Cole, Christey
   REJECT(2) Blake, Stracener

Comments:
 Cole> 611 is the mail to listed above but 759 is for the mail from and
 Cole> should be listed as a separate vulenrability.
 Blake> This does not appear materially different from CAN-1999-0768
 Christey> Although the descriptions don't reflect it, CAN-1999-0872 and
 Christey> CAN-1999-0768 are different.  One has to do with a buffer
 Christey> overflow; the other deals with a user supplying their own
 Christey> Sendmail config file.  BID:602 and BID:611 show this.
 Stracener> This is a duplicate of candidate CAN-1999-0768.




--------------------- CLUSTER CERT2 ---------------------

CERT2 (26 candidates)
--------------------
Proposed: 12/8
Scheduled Proposed: 12/6
Scheduled Interim Decision: 12/20
Scheduled Final Decision: 12/24

Other CERT advisories not covered in the CERT cluster


Voters:
  Frech MODIFY(3)
  Ozancin ACCEPT(3)
  Cole ACCEPT(3)
  Armstrong ACCEPT(2) NOOP(1)
  Prosser ACCEPT(2) RECAST(1)
  Stracener ACCEPT(2) MODIFY(1)


<FINAL> --> 23
<INTERIM> --> 1
<PROPOSED> --> 2
MODIFY --> 2
RECAST --> 1

=================================
Candidate: CAN-1999-0696
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: CIAC:J-051
Reference: SUN:00188
Reference: CERT:CA-99-08
Reference: HP:00102
Reference: COMPAQ:SSRT0614U_RPC_CMSD

Buffer overflow in CDE Calendar Manager Service Daemon (rpc.cmsd)

INFERRED ACTION: CAN-1999-0696 RECAST (1 recast, 5 accept, 0 review)

Current Votes:
   ACCEPT(3) Cole, Armstrong, Ozancin
   MODIFY(2) Frech, Stracener
   RECAST(1) Prosser

Comments:
 Frech> XF:sun-cmsd-bo
 Prosser> Correct me if I am wrong as I don't have the facilities to test this, but
 Prosser> Sun originally reported this vulnerability in Sun Bulletin 0166, Mar 1998.
 Prosser> The CVE Board accepted it as CVE-1999-0320.  The 00188 Sun Bulletin in July
 Prosser> 1999 is an exact dupe of the 98 bulletin with the exception of some
 Prosser> additional patches for CDE on later versions of SunOS/Solaris. The CERT and
 Prosser> other vendor alerts are additional information on this BO for other vendor's
 Prosser> systems(why it took over a year?), but we already have a CVE number
 Prosser> outstanding for this vulnerability.  Are these seperate vulnerabilities?  Or
 Prosser> the same one just found to affect more than originally thought?  If so,
 Prosser> recommend merging this CAN into the existing CVE, and just adjust the
 Prosser> description in the existing CVE to reflect the additional vulnerable vendor
 Prosser> systems.
 Prosser> Additional reference:  BID 486 and 524
 Stracener> Redundant references to J-051.


=================================
Candidate: CAN-1999-0955
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: CERT:CA-94.08
Reference: CIAC:E-17
Reference: XF:ftp-exec

Race condition in wu-ftpd and BSDI ftpd allows remote attackers gain
root access via the SITE EXEC command.

Modifications:
  ADDREF XF:ftp-exec

INFERRED ACTION: CAN-1999-0955 ACCEPT (6 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(5) Cole, Armstrong, Ozancin, Prosser, Stracener
   MODIFY(1) Frech

Comments:
 Cole> There are actually two vulnerabilities listed in this CERT.  I am assuming
 Cole> that the other one is listed in a different CVE.
 Frech> XF:ftp-exec


=================================
Candidate: CAN-1999-0959
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: AUSCERT:AA-97-05
Reference: SGI:19980301-01-PX

IRIX startmidi and stopmidi programs allow local users to modify
arbitrary files via a symlink attack.

CONTENT-DECISIONS: SF-EXEC, SF-LOC

INFERRED ACTION: CAN-1999-0959 ACCEPT (5 accept, 3 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Cole, Ozancin, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(1) Armstrong

Comments:
 Frech> XF:irix-startmidi-file-creation




--------------------- CLUSTER MS ---------------------

MS (45 candidates)
--------------------
Proposed: 12/8
Scheduled Proposed: 12/6
Scheduled Interim Decision: 12/20
Scheduled Final Decision: 12/24

Some Microsoft Advisories in 1999


Voters:
  Wall ACCEPT(11)
  Frech MODIFY(11)
  Ozancin ACCEPT(9) NOOP(2)
  Christey NOOP(2) REVIEWING(2)
  Cole ACCEPT(4) MODIFY(1) RECAST(1) REJECT(5)
  Prosser ACCEPT(11)
  Stracener ACCEPT(7) MODIFY(4)


<FINAL> --> 34
<INTERIM> --> 4
<PROPOSED> --> 7
MODIFY --> 3
RECAST --> 1
REJECT --> 5
REVIEWING --> 2

=================================
Candidate: CAN-1999-0668
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: BUGTRAQ:19990821 IE 5.0 allows executing programs
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: BID:598
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

The scriptlet.typelib ActiveX control is marked as "safe for
scripting" for Internet Explorer, which allows a remote attacker to
execute arbitrary commands as demonstrated by Bubbleboy.

Modifications:
  ADDREF XF:ms-scriptlet-eyedog-unsafe
  ADDREF MSKB:Q240308

INFERRED ACTION: CAN-1999-0668 SMC_REVIEW (6 accept, 1 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener
   REVIEWING(1) Christey

Comments:
 Frech> XF:ms-scriptlet-eyedog-unsafe
 Wall> Note:  Was this not CVE 199-0376?
 Stracener> Add Ref: MSKB Q240308
 Christey> Should CAN-1999-0669 and 668 be merged?  If not, then this is
 Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828.


=================================
Candidate: CAN-1999-0669
Published:
Final-Decision:
Interim-Decision: 19991229
Modified: 19991227-01
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: MS:MS99-032
Reference: CIAC:J-064
Reference: XF:ms-scriptlet-eyedog-unsafe
Reference: MSKB:Q240308

The Eyedog ActiveX control is marked as "safe for scripting" for
Internet Explorer, which allows a remote attacker to execute arbitrary
commands as demonstrated by Bubbleboy.

Modifications:
  XF:ms-scriptlet-eyedog-unsafe
  MSKB:Q240308

INFERRED ACTION: CAN-1999-0669 SMC_REVIEW (6 accept, 1 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener
   REVIEWING(1) Christey

Comments:
 Frech> XF:ms-scriptlet-eyedog-unsafe
 Stracener> Add Ref: MSKB Q240308
 Christey> Should CAN-1999-0669 and 668 be merged?  If not, then this is
 Christey> a reason for not merging CAN-1999-0988 and CAN-1999-0828.


=================================
Candidate: CAN-1999-0670
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991123
Category: SF
Reference: MS:MS99-032
Reference: CIAC:J-064

Buffer overflow in the Eyedog ActiveX control allows a remote attacker
to execute arbitrary commands.

INFERRED ACTION: CAN-1999-0670 REJECT (1 reject, 5 accept, 0 review)

Current Votes:
   ACCEPT(3) Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener
   REJECT(1) Cole

Comments:
 Frech> XF:ie-eyedog-bo
 Cole> Based on the references and information listed this is the same as
 Cole> CAN-1999-0669
 Stracener> Add Ref: MSKB Q240308


=================================
Candidate: CAN-1999-0736
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: L0PHT:May7,1999
Reference: MS:MS99-013
Reference: MSKB:Q232449
Reference: MSKB:Q231368

The showcode.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0736 ACCEPT (6 accept, 3 ack, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(2) Frech, Cole

Comments:
 Frech> XF:iis-samples-showcode
 Cole> There are several sample files that allow this.  I would quote
 Cole> showcode.asp but make it more generic.
 Prosser> (Modify)
 Prosser> Have a question on this and on the following three candidates as well.  All
 Prosser> of these are part of the file viewers utilities that allow unauthorized
 Prosser> files reading, but MSKB Q231368 also mentioned the diagnostics
 Prosser> program,Winmsdp.exe, as another vulnerable viewer in this same set of
 Prosser> viewers.  If we are going to split out the seperate viewer tools then
 Prosser> shouldn't there should be a seperate CAN for Winmsdp.exe also.


=================================
Candidate: CAN-1999-0737
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-013
Reference: MSKB:Q231656

The viewcode.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0737 REJECT (1 reject, 5 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech
   REJECT(1) Cole

Comments:
 Frech> XF:iis-samples-viewcode
 Cole> I would combine this with the previous.
 Prosser> (modify)
 Prosser> See comments in 0736 above


=================================
Candidate: CAN-1999-0738
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-013
Reference: MSKB:Q232449
Reference: MSKB:Q231368

The code.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0738 REJECT (1 reject, 5 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech
   REJECT(1) Cole

Comments:
 Frech> XF:iis-samples-code
 Cole> Same as above
 Prosser> (modify)
 Prosser> See comments in 0736 above


=================================
Candidate: CAN-1999-0739
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991125
Category: SF
Reference: MS:MS99-013
Reference: MSKB:Q232449
Reference: MSKB:Q231368

The codebrws.asp sample file in IIS and Site Server allows remote
attackers to read arbitrary files.

CONTENT-DECISIONS: SF-LOC

INFERRED ACTION: CAN-1999-0739 REJECT (1 reject, 5 accept, 0 review) HAS_CDS

Current Votes:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech
   REJECT(1) Cole

Comments:
 Frech> XF:iis-samples-codebrws
 Cole> Same as above.
 Prosser> (modify)
 Prosser> See comments in 0736 above


=================================
Candidate: CAN-1999-0874
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-019
Reference: MSKB:Q234905
Reference: EEYE:AD06081999
Reference: CERT:CA-99-07
Reference: CIAC:J-048

Buffer overflow in IIS via a malformed request for files with .HTR,
.IDC, or .STM extensions.

INFERRED ACTION: CAN-1999-0874 RECAST (1 recast, 5 accept, 0 review)

Current Votes:
   ACCEPT(4) Wall, Prosser, Ozancin, Stracener
   MODIFY(1) Frech
   RECAST(1) Cole

Comments:
 Frech> XF:iis-htr-overflow
 Cole> This description is very general and covers about 5 different
 Cole> exploits with IIS.
 Cole> The thing to remember is that with Microsoft there are so many
 Cole> vulenrabilities that
 Cole> you must be very specific.  I would add the following:
 Cole> Microsoft has released a patch that eliminates a vulnerability in
 Cole> the Taskpads feature, which is provided as
 Cole> part of the Microsoft� Windows� 98 Resource Kit, Windows 98
 Cole> Resource Kit Sampler, and BackOffice�
 Cole> Resource Kit, second edition. The vulnerability could allow a
 Cole> malicious web site operator to run executables
 Cole> on the computer of a visiting user. Only customers who have
 Cole> installed one of the affected products and who
 Cole> surf the web using the machines on which they are installed are at
 Cole> risk from this vulnerability.


=================================
Candidate: CAN-1999-0898
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: XF:nt-printer-spooler-bo
Reference: BID:768

Buffer overflows in Windows NT 4.0 print spooler allow remote
attackers to gain privileges or cause a denial of service via a
malformed spooler request.

Modifications:
  ADDREF XF:nt-printer-spooler-bo
  ADDREF BID:768

INFERRED ACTION: CAN-1999-0898 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey

Comments:
 Frech> XF:nt-printer-spooler-bo
 Prosser> (Modify)
 Prosser> This maybe should be seperated into two entries.  One for the DoS which is
 Prosser> just done with random data and one for the more experienced attack of
 Prosser> gaining privileges on the host.
 Christey> While the advisory is not entirely explicit, the difference
 Christey> between the DoS and the command execution is only in effect,
 Christey> and appears to be in the same line of code, so the SF-LOC
 Christey> content decision applies here.


=================================
Candidate: CAN-1999-0899
Published:
Final-Decision:
Interim-Decision: 20000111
Modified: 20000111-01
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-047
Reference: MSKB:Q243649
Reference: BID:769
Reference: XF:nt-printer-spooler-bo

The Windows NT 4.0 print spooler allows a local user to execute
arbitrary commands due to inappropriate permissions that allow the
user to specify an alternate print provider.

Modifications:
  ADDREF XF:nt-printer-spooler-bo
  ADDREF BID:769

INFERRED ACTION: CAN-1999-0899 ACCEPT (5 accept, 3 ack, 0 review)

Current Votes:
   ACCEPT(4) Cole, Wall, Prosser, Stracener
   MODIFY(1) Frech
   NOOP(2) Ozancin, Christey

Comments:
 Frech> XF:nt-printer-spooler-bo
 Cole>
 Cole> [Originally rejected; vote changed to ACCEPT based on feedback]
 Cole> This should be combined with the previous one to state it can cause
 Cole> a denial of service
 Cole> or allow commands to ve executed.  Just because a vulnerability can
 Cole> be exploited in different ways
 Cole> does not mean there should be separate entries since the underlying
 Cole> exploit is the same.
 Christey> This is different than CAN-1999-0898 because 898 is a buffer
 Christey> overflow, while this one is incorrect permissions.  They
 Christey> are different bugs, so should have separate entries.  Note
 Christey> that MS99-047 also discriminates between these two candidates,
 Christey> i.e. it contains the phrase "A second vulnerability exists..."
 Christey> and goes on to describe CAN-1999-0899.


=================================
Candidate: CAN-1999-0910
Published:
Final-Decision:
Interim-Decision:
Modified:
Proposed: 19991208
Assigned: 19991208
Category: SF
Reference: MS:MS99-035
Reference: BID:625

Microsoft Site Server and Commercial Internet System (MCIS) do not set
an expiration for a cookie, which could then be cached by a proxy and
inadvertently used by a different user.

INFERRED ACTION: CAN-1999-0910 REJECT (1 reject, 5 accept, 0 review)

Current Votes:
   ACCEPT(3) Wall, Prosser, Ozancin
   MODIFY(2) Frech, Stracener
   REJECT(1) Cole

Comments:
 Frech> XF:siteserver-cis-cookie-cache
 Cole> Whether cookies are a vulnerbality is a debate for another time, the
 Cole> question here is whether the
 Cole> expiration feature is a vulnerability and I do not think it is
 Cole> because the underlying concerns for this
 Cole> are present even without this feature.  The expiration feature does
 Cole> not add any new vulenrabilities
 Cole> that are not already present with cookies.
 Stracener> Add Ref: MSKB Q238647
Prev by Date: [VOTES] Vote details for RECENT-XX clusters
Next by Date: [VOTES] Vote details for other recently proposed clusters
Prev by thread: [VOTES] Vote details for RECENT-XX clusters
Next by thread: [VOTES] Vote details for other recently proposed clusters
Index(es):
- Date
- Thread