The OVAL Repository 5.3 2008-04-10T09:00:10.653-04:00 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 X Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Jay Beale INTERIM INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 File and Print Sharing File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. Jay Beale INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size." Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 MIT Kerberos 5 (krb5) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. Andrew Buttner Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. Jay Beale INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). Jay Beale INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 cachefsd Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Jet Database Engine Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. Andrew Buttner INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Data Access Components 2.6 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.5 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer Christine Walzer DRAFT Microsoft Windows NT HTML Help Facility Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT SNMP Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability." Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Xsun Unspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability." Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft ASN.1 Library Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. David Proulx INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Harvey Rubinovitz ACCEPTED Microsoft Windows Server 2003 Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389. Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple unspecified vulnerabilities in the KSSL kernel module in Sun Solaris 10, when configured with the KSSL proxy, allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors related to "memory buffers" of Secure Socket Layer (SSL) records. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 NetWare The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 CDE CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky DEPRECATED DEPRECATED Microsoft Windows 2000 H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Agent Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux3 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Help and Support Center (HSC) Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) on Sun Solaris 10 before 20070730 allows local users with PRIV_DTRACE_USER privileges to cause a denial of service (panic or hang) via unspecified use of certain DTrace programs. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 COM Internet Services Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. Tiffany Bergeron INTERIM Ingrid Skoog ACCEPTED ACCEPTED Sun Solaris 8 libnsl Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. David Proulx Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer DRAFT Microsoft Windows 2000 Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Multiple UNC Provider (MUP) Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. Tiffany Bergeron ACCEPTED Microsoft Windows XP Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 httpd Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libxml2 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Simple Network Management Protocol (SNMP) Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Harvey Rubinovitz Jonathan Baker ACCEPTED Red Hat Enterprise Linux 3 Net-SNMP Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. Matt Busby Matt Busby INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the TCP Loopback/Fusion implementation in Sun Solaris 10 allows local users to cause a denial of service (resource exhaustion and service hang) via unspecified vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Apache Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 httpd Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 nfs-utils packages rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 lbxproxy Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. David Proulx ACCEPTED Red Hat Linux 9 Linux kernel Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Tethereal The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. Christine Walzer INTERIM Andrew Buttner ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Outlook Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows Media Services Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. Tiffany Bergeron INTERIM John Hoyland INTERIM John Hoyland Jeff Cheng Jeff Cheng INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Unspecified vulnerability in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1, allows remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 Mutt Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Jay Beale ACCEPTED Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mremap The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Vicam USB driver The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun Solaris 8 through 10 before 20070725 allows local users to read arbitrary files with root group ownership via unknown vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XMLSoft Libxml2 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 MicrosoftSQL Server Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879. Yi-Fang Koh Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 SUSE Linux 10.1 SUSE Linux 10.0 SUSE Linux Professional 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Desktop 10 OpenOffice_org1 OpenOffice_org1-ar OpenOffice_org1-ca OpenOffice_org1-cs OpenOffice_org1-da OpenOffice_org1-de OpenOffice_org1-el OpenOffice_org1-en OpenOffice_org1-es OpenOffice_org1-et OpenOffice_org1-fi OpenOffice_org1-fr OpenOffice_org1-gnome OpenOffice_org1-hu OpenOffice_org1-it OpenOffice_org1-ja OpenOffice_org1-kde OpenOffice_org1-ko OpenOffice_org1-nl OpenOffice_org1-pl OpenOffice_org1-pt OpenOffice_org1-ru OpenOffice_org1-sk OpenOffice_org1-sl OpenOffice_org1-sv OpenOffice_org1-tr OpenOffice_org1-zh-CN OpenOffice_org1-zh-TW OpenOffice_org OpenOffice_org-af OpenOffice_org-be-BY OpenOffice_org-bg OpenOffice_org-ca OpenOffice_org-cs OpenOffice_org-cy OpenOffice_org-da OpenOffice_org-de OpenOffice_org-el OpenOffice_org-en OpenOffice_org-en-GB OpenOffice_org-es OpenOffice_org-et OpenOffice_org-fi OpenOffice_org-fr OpenOffice_org-galleries OpenOffice_org-gnome OpenOffice_org-gu-IN OpenOffice_org-hr OpenOffice_org-hu OpenOffice_org-hunspell OpenOffice_org-it OpenOffice_org-ja OpenOffice_org-kde OpenOffice_org-ko OpenOffice_org-mono OpenOffice_org-nb OpenOffice_org-nl OpenOffice_org-nn OpenOffice_org-officebean OpenOffice_org-pa-IN OpenOffice_org-pl OpenOffice_org-pt OpenOffice_org-pt-BR OpenOffice_org-ru OpenOffice_org-sk OpenOffice_org-sl OpenOffice_org-sv OpenOffice_org-tr OpenOffice_org-vi OpenOffice_org-xh OpenOffice_org-zh-CN OpenOffice_org-zh-TW OpenOffice_org-zu Multiple integer overflows in OpenOffice.org (OOo) 2.0.4 and earlier, and possibly other versions before 2.1.0; and StarOffice 6 through 8; allow user-assisted remote attackers to execute arbitrary code via a crafted (a) WMF or (b) EMF file that triggers heap-based buffer overflows in (1) wmf/winwmf.cxx, during processing of META_ESCAPE records; and wmf/enhwmf.cxx, during processing of (2) EMR_POLYPOLYGON and (3) EMR_POLYPOLYGON16 records. Thomas R. Jones DRAFT Jonathan Baker INTERIM ACCEPTED ACCEPTED cpe://novell:linux_desktop:9 cpe://novell:suse_linux:10.1 cpe://novell:suse_linux:10.0 cpe://novell:suse_linux:9.3:pro cpe://novell:suse_linux:1.0:desktop cpe://novell:suse_linux_enterprise:10:desktop cpe:///novell:OpenOffice_org1 cpe:///novell:OpenOffice_org1-ar cpe:///novell:OpenOffice_org1-ca cpe:///novell:OpenOffice_org1-cs cpe:///novell:OpenOffice_org1-da cpe:///novell:OpenOffice_org1-de cpe:///novell:OpenOffice_org1-el cpe:///novell:OpenOffice_org1-en cpe:///novell:OpenOffice_org1-es cpe:///novell:OpenOffice_org1-et cpe:///novell:OpenOffice_org1-fi cpe:///novell:OpenOffice_org1-fr cpe:///novell:OpenOffice_org1-gnome cpe:///novell:OpenOffice_org1-hu cpe:///novell:OpenOffice_org1-it cpe:///novell:OpenOffice_org1-ja cpe:///novell:OpenOffice_org1-kde cpe:///novell:OpenOffice_org1-ko cpe:///novell:OpenOffice_org1-nl cpe:///novell:OpenOffice_org1-pl cpe:///novell:OpenOffice_org1-pt cpe:///novell:OpenOffice_org1-ru cpe:///novell:OpenOffice_org1-sk cpe:///novell:OpenOffice_org1-sl cpe:///novell:OpenOffice_org1-sv cpe:///novell:OpenOffice_org1-tr cpe:///novell:OpenOffice_org1-zh-CN cpe:///novell:OpenOffice_org1-zh-TW cpe:///novell:OpenOffice_org cpe:///novell:OpenOffice_org-af cpe:///novell:OpenOffice_org-be-BY cpe:///novell:OpenOffice_org-bg cpe:///novell:OpenOffice_org-ca cpe:///novell:OpenOffice_org-cs cpe:///novell:OpenOffice_org-cy cpe:///novell:OpenOffice_org-da cpe:///novell:OpenOffice_org-de cpe:///novell:OpenOffice_org-el cpe:///novell:OpenOffice_org-en cpe:///novell:OpenOffice_org-en-GB cpe:///novell:OpenOffice_org-es cpe:///novell:OpenOffice_org-et cpe:///novell:OpenOffice_org-fi cpe:///novell:OpenOffice_org-fr cpe:///novell:OpenOffice_org-galleries cpe:///novell:OpenOffice_org-gnome cpe:///novell:OpenOffice_org-gu-IN cpe:///novell:OpenOffice_org-hr cpe:///novell:OpenOffice_org-hu cpe:///novell:OpenOffice_org-hunspell cpe:///novell:OpenOffice_org-it cpe:///novell:OpenOffice_org-ja cpe:///novell:OpenOffice_org-kde cpe:///novell:OpenOffice_org-ko cpe:///novell:OpenOffice_org-mono cpe:///novell:OpenOffice_org-nb cpe:///novell:OpenOffice_org-nl cpe:///novell:OpenOffice_org-nn cpe:///novell:OpenOffice_org-officebean cpe:///novell:OpenOffice_org-pa-IN cpe:///novell:OpenOffice_org-pl cpe:///novell:OpenOffice_org-pt cpe:///novell:OpenOffice_org-pt-BR cpe:///novell:OpenOffice_org-ru cpe:///novell:OpenOffice_org-sk cpe:///novell:OpenOffice_org-sl cpe:///novell:OpenOffice_org-sv cpe:///novell:OpenOffice_org-tr cpe:///novell:OpenOffice_org-vi cpe:///novell:OpenOffice_org-xh cpe:///novell:OpenOffice_org-zh-CN cpe:///novell:OpenOffice_org-zh-TW cpe:///novell:OpenOffice_org-zu Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-kde is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-nl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-sl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-ja is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-ru is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-sv is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-zh-TW is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-it is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-ko is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-zh-TW is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-da is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-galleries is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-zh-CN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-ja is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-af is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-en is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-ca is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-gnome is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-pt is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-sk is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux 10.0 Package OpenOffice_org-hunspell is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ca is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-pt-BR is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-pa-IN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-sv is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-en-GB is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-fi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-nb is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-el is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-pl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-ar is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-kde is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-sl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-cs is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-hr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-tr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-es is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-it is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-de is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-et is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-et is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-fr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-pt is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ar is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-el is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-nl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-zh-CN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-es is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.1 Package OpenOffice_org-officebean is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-de is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-pl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-nn is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-xh is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-fi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-be-BY is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-bg is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ru is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-hu is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-cs is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ko is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-gnome is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-gu-IN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-cy is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-tr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-da is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-vi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Samba 3.0.0 and 3.0.1 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-zu is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1 is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Red Hat Enterprise Linux 3 PWLib Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mremap The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-sk is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Red Hat Linux 9 KDE Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-hu is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-mono is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Red Hat Linux 9 Midnight Commander Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-fr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Red Hat Linux 9 slocate Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft SQL Server 2000 Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. Tiffany Bergeron Jonathan Baker INTERIM Ingrid Skoog ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Operating System COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mailman Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mailman Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Outlook Express Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. Robert L. Hollis DRAFT INTERIM ACCEPTED John Hoyland Anna Min INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mutt Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Tiffany Bergeron ACCEPTED Red Hat Linux 9 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 PWLib Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 7 CDE CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Unspecified vulnerability in the Server service in Microsoft Windows 2000 SP4, Server 2003 SP1 and earlier, and XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted packet, aka "SMB Rename Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.5 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.1 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with an International Domain Name (IDN) using double-byte character sets (DBCS), aka the "Double Byte Character Parsing Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 rpc.rwalld Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Jason Spashett INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Services for UNIX The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jonathan Baker DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Word 2003 Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Windows kernel Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Client Server Runtime System (CSRSS) Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Data Access Compnents 2.8 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM Jeff Cheng ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Nabil Ouchn ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. David Proulx ACCEPTED Microsoft Windows Server 2003 Microsoft Color Management Module Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 10 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 remshd Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 gzip Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Glenn Strickland INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 6 allows remote attackers to execute arbitrary code by using JavaScript to cause certain errors simultaneously, which results in the access of previously freed memory, aka "Script Error Handling Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM Matthew Wojcik ACCEPTED ACCEPTED HP-UX 11 Apache The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows 2000 smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. Tiffany Bergeron ACCEPTED Red Hat Enterprise Linux 4 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Sun Solaris 9 Access Manager Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted LABEL record that triggers memory corruption. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Data Access Compnents 2.7 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM John Hoyland ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 bzip2 bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer 7 The patch IE7-KB928090-WindowsServer2003-x64-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-016 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Buffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka "Winsock Hostname Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Unspecified vulnerability in Microsoft Word 2000, 2002, and 2003 and Word Viewer 2003 allows remote attackers to execute code via unspecified vectors related to malformed data structures that trigger memory corruption, a different vulnerability than CVE-2006-5994. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED ACCEPTED Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Andrew Simmons INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Gaim Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. Tiffany Bergeron Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in Microsoft Office XP and 2003 allows remote user-assisted attackers to execute arbitrary code via a malformed Smart Tag. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 7 dtspcd Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Kerberos Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Perl Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 8 Sun Solaris 7 Operating System Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Buffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted record response. NOTE: while MS06-041 implies that there is a single issue, there are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap-based buffer overflow in a DNS server response to the client, (2) a DNS server response with malformed ATMA records, and (3) a length miscalculation in TXT, HINFO, X25, and ISDN records. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Web Client Service Buffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters. Matthew Burton DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 5.01 and 6 does not properly handle uninitialized COM objects, which allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code, as demonstrated by the Nth function in the DirectAnimation.DATuple ActiveX control, aka "COM Object Instantiation Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer 7 The patch IE7-KB928090-WindowsServer2003-x64-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-016 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gftp Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. Jay Beale DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Operating System Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. Robert L. Hollis DRAFT INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Hyperlink Object Library The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Animated Cursor The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. Christine Walzer DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick Heap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft SQL Server 2000 An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. Yi-Fang Koh ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Flash Player Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to execute arbitrary commands via a malformed .swf file that results in "multiple improper memory access" errors. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Operating System Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 Operating System Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac does not correctly check the properties of certain documents and warn the user of macro content, which allows user-assisted remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 dtspcd Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Sun Solaris 8 kcms_configure kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. David Proulx ACCEPTED Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Matthew Wojcik INTERIM John Hoyland ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Visual Basic Buffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6.0 through 6.4, as used by Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, and Works Suite 2004 through 2006, allows user-assisted attackers to execute arbitrary code via unspecified document properties that are not verified when VBA is invoked to open documents. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading." Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 TIP Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. Christine Walzer DRAFT INTERIM Jonathan Baker Ingrid Skoog ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Microsoft Windows XP Microsoft Internet Explorer 7 The patch IE7-KB929969-WindowsXP-x86-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-004 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Agent Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT NetDDE Agent NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation." Ingrid Skoog DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Admintool Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer 7 The patch IE7-KB929969-WindowsServer2003-ia64-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-004 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 NetDDE Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. Jonathan Baker DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 postgresql PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability." Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 97 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Matthew Wojcik INTERIM Microsoft Windows 2000 Operating System Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, probably a buffer overflow, allows local users to obtain privileges via unspecified vectors involving an "unchecked buffer." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 Operating System The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Robert L. Hollis ACCEPTED ACCEPTED Sun Solaris 8 Admintool Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Windows Media Player Heap-based buffer overflow in the WMCheckURLScheme function in WMVCORE.DLL in Microsoft Windows Media Player (WMP) 10.00.00.4036 on Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a long HREF attribute, using an unrecognized protocol, in a REF element in an ASX PlayList file. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 ypserv ypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 xpdf Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 xinetd Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 7 kcms_configure kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. David Proulx ACCEPTED HP-UX 11 ftpd wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mikmod Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT MDAC 2.8 The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED HP-UX 11 Samba Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows 2000 In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Compressed Folders Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. David Proulx DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string. Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Management Console Cross-site scripting (XSS) vulnerability in Internet Explorer 5.01 and 6 in Microsoft Windows 2000 SP4 permits access to local "HTML-embedded resource files" in the Microsoft Management Console (MMC) library, which allows remote authenticated users to execute arbitrary commands, aka "MMC Redirect Cross-Site Scripting Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis INTERIM John Hoyland ACCEPTED ACCEPTED Red Hat Linux 9 vsftpd vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in mso.dll in Microsoft Office 2000, XP, and 2003, and Microsoft PowerPoint 2000, XP, and 2003, allows remote user-assisted attackers to execute arbitrary code via a malformed record in a (1) .DOC, (2) .PPT, or (3) .XLS file that triggers memory corruption, related to an "array boundary condition" (possibly an array index overflow), a different vulnerability than CVE-2006-3434, CVE-2006-3650, and CVE-2006-3868. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 up2date up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Access Service (RAS) Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. Tiffany Bergeron ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Glenn Strickland Jonathan Baker Jonathan Baker INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. Robert L. Hollis DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 sysreport sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM Matthew Wojcik ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 7 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Red Hat Linux 9 unzip Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 swagentd Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B.11.11 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 SquirrelMail Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED HP-UX 10 AutoRAID Manager Possible unknown vulnerability or vulnerabilities in HP DiskArray Utilities with AutoRAID Manager. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Remote Access Service (RAS) Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. Tiffany Bergeron Jonathan Baker ACCEPTED Microsoft Windows Server 2003 Operating System The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Operating System Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Services for UNIX The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jonathan Baker DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating Ssytem Heap-based buffer overflow in the Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to execute arbitrary code via crafted first-class Mailslot messages that triggers memory corruption and bypasses size restrictions on second-class Mailslot messages. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Admintool Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 CUPS CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED HP-UX 11 remshd Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP MSN Messenger Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED Jonathan Baker INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Network News Transport Protocol (NNTP) The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. Christine Walzer DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Publisher Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts. Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Procedure Call (RPC) The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference. Tiffany Bergeron Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Windows Shell The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. Harvey Rubinovitz DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM INTERIM Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Ingrid Skoog Dragos Prisaca INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Virtual Machine (VM) Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. Tiffany Bergeron ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Unspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors involving a crafted file resulting in a malformed stack, as exploited by malware with names including Trojan.Mdropper.Q, Mofei, and Femo. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 5.01 and 6 does not properly identify the originating domain zone when handling redirects, which allows remote attackers to read cross-domain web pages and possibly execute code via unspecified vectors involving a crafted web page, aka "Source Element Cross-Domain Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows Workstation Service Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. Tiffany Bergeron ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Windows Shell The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. Harvey Rubinovitz DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, Excel Viewer 2003, and Microsoft Works Suite 2004 through 2006 allows user-assisted attackers to execute arbitrary code via a crafted DATETIME record in an XLS file, a different vulnerability than CVE-2006-3867 and CVE-2006-3875. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 semi MIME library The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in PowerPoint in Microsoft Office 2000, Office 2002, Office 2003, Office 2004 for Mac, and Office v.X for Mac allows user-assisted attackers to execute arbitrary code via an unspecified "crafted file," a different vulnerability than CVE-2006-3435, CVE-2006-4694, and CVE-2006-3876. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Samba, Samba-TNG Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Samba Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 Operating System The Client-Server Run-time Subsystem in Microsoft Windows XP SP2 and Server 2003 allows local users to gain privileges via a crafted file manifest within an application, aka "File Manifest Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 rpc.yppasswdd Buffer overflow in rpc.yppasswdd (yppasswd server) in Solaris 2.6, 7 and 8 allows remote attackers to gain root access via a long username. David Proulx ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted SELECTION record that triggers memory corruption, a different vulnerability than CVE-2006-1302. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Xsun Buffer overflow in Xsun in Solaris 8 and earlier allows local users to execute arbitrary commands via a long HOME environmental variable. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office 2004 for Mac allows user-assisted remote attackers to execute arbitrary code via crafted macros, aka "Macro Validation Vulnerability," a different vulnerability than CVE-2007-3490. Sudhir Gandhe DRAFT Sudhir Gandhe Sudhir Gandhe INTERIM INTERIM Sun Solaris 10 The (1) Simplified Chinese, (2) Traditional Chinese, (3) Korean, and (4) Thai language input methods in Sun Solaris 10 create files and directories with weak permissions under (a) .iiim/le and (b) .Xlocale in home directories, which might allow local users to write to, or read from, the home directories of other users. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gzip is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Red Hat Linux 9 Samba The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 openSUSE Factory Package gwenhywfar is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 openSUSE Factory Package guile-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtkspell-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gucharmap-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED SUSE Linux 10.0 openSUSE Factory Package gtkutils-data is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:opensuse:factory Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Data Access Compnents 2.6 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtk-sharp-complete is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows ME Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 smbd Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2007, Viewer 2003, Compatibility Pack, and Office for Mac 2004 allows user-assisted remote attackers to execute arbitrary code via malformed formulas, aka "Excel Formula Parsing Vulnerability." Sudhir Gandhe Sudhir Gandhe Sudhir Gandhe INTERIM INTERIM Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the Internet Protocol (IP) implementation in Sun Solaris 8, 9, and 10 allows remote attackers tobypass intended firewall policies or cause a denial of service (panic) via unknown vectors, possibly related to ICMP packets and IP fragment reassembly. Pai Peng DRAFT INTERIM INTERIM Microsoft Windows 2000 MSDTC The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer. Robert L. Hollis DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 SMTP The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. Christine Walzer DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000 SP3 and 2002 SP2, and Office 2004 and 2008 for Mac, allows user-assisted remote attackers to execute arbitrary code via crafted conditional formatting values, aka "Excel Conditional Formatting Vulnerability." Sudhir Gandhe DRAFT Sudhir Gandhe Sudhir Gandhe INTERIM INTERIM Sun Solaris 9 Sun Solaris 10 libicu in International Components for Unicode (ICU) 3.8.1 and earlier attempts to process backreferences to the nonexistent capture group zero (aka \0), which might allow context-dependent attackers to read from, or write to, out-of-bounds memory locations, related to corruption of REStackFrames. Pai Peng DRAFT INTERIM INTERIM SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gwc-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtkspell is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtksourceview-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package guile-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtksourceview-sharp2 is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Internet Explorer Unspecified vulnerability in Microsoft Internet Explorer 5.01, 6 SP1 and SP2, and 7 allows remote attackers to execute arbitrary code via crafted HTML layout combinations, aka "HTML Rendering Memory Corruption Vulnerability." Sudhir Gandhe DRAFT Robert L. Hollis Sudhir Gandhe ACCEPTED ACCEPTED Sun Solaris 8 Unspecified vulnerability in Sun Solaris 8 directory functions allows local users to cause a denial of service (panic) via an unspecified sequence of system calls or commands. Pai Peng DRAFT INTERIM INTERIM openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtk-sharp2-complete is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Internet Explorer Stack-based buffer overflow in certain ActiveX controls in (1) FPOLE.OCX 6.0.8450.0 and (2) Foxtlib.ocx, as used in the Microsoft Visual FoxPro 6.0 fpole 1.0 Type Library; and Internet Explorer 5.01, 6 SP1 and SP2, and 7; allows remote attackers to execute arbitrary code via a long first argument to the FoxDoCmd function. Sudhir Gandhe DRAFT Robert L. Hollis Sudhir Gandhe ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED SUSE Linux 10.1 openSUSE Factory Package gwenhywfar-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Sun Solaris 10 Multiple race conditions in the CPU Performance Counters (cpc) subsystem in the kernel in Sun Solaris 10 allow local users to cause a denial of service (panic) via unspecified vectors related to kcpc_unbind and kcpc_restore. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in the USB Mouse STREAMS module (usbms) in Sun Solaris 9 and 10, when 64-bit mode is enabled, allows local users to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gwenview is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkpbbuttons is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 openSUSE Factory Package g-wrap is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory openSUSE Factory Package gwenview-lang is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000 SP3 through 2003 SP2, Viewer 2003, and Office for Mac 2004 allows user-assisted remote attackers to execute arbitrary code via crafted Style records that trigger memory corruption. Sudhir Gandhe Sudhir Gandhe Sudhir Gandhe INTERIM INTERIM Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) in Sun Solaris 10 allows local users with PRIV_DTRACE_USER or PRIV_DTRACE_PROC privileges to obtain sensitive kernel information via unspecified vectors, a different vulnerability than CVE-2007-4126. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Buffer overflow in Microsoft Excel 2000 through 2003 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted COLINFO record, which triggers the overflow during a "data filling operation." Robert L. Hollis INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtksourceview is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gwget-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Red Hat Linux 9 Postfix The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtksourceview-sharp is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gzip-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Sun Solaris 9 Sun Solaris 10 Heap-based buffer overflow in the doInterval function in regexcmp.cpp in libicu in International Components for Unicode (ICU) 3.8.1 and earlier allows context-dependent attackers to cause a denial of service (memory consumption) and possibly have unspecified other impact via a regular expression that writes a large amount of data to the backtracking stack. NOTE: some of these details are obtained from third party information. Pai Peng DRAFT INTERIM INTERIM Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 openSUSE Factory Package gtk2-devel-64bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-32bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk2-engines-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Microsoft Excel Viewer Unspecified vulnerability in Microsoft Office Excel Viewer 2003 up to SP3 allows user-assisted remote attackers to execute arbitrary code via an Excel document with malformed cell comments that trigger memory corruption from an "allocation error," aka "Microsoft Office Cell Parsing Memory Corruption Vulnerability." Sudhir Gandhe DRAFT Sudhir Gandhe INTERIM INTERIM Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Server 10 openSUSE Factory Package gvim is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6.0 does not properly check certain parameters of a PNG file when opening it, which allows remote attackers to cause a denial of service (crash) by triggering a heap-based buffer overflow using invalid length codes during decompression, aka "Malformed PNG Image File Failure." Harvey Rubinovitz ACCEPTED ACCEPTED openSUSE 10.2 openSUSE Factory Package gtkglext-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-sharp2-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 openSUSE Factory Package gtkglext is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtkhtml2 is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkhtml-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 openSUSE Factory Package gtkglext-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Unspecified vulnerability in Local Security Authority Subsystem Service (LSASS) in Microsoft Windows 2000 SP4, XP SP2, and Server 2003 SP1 and SP2 allows local users to gain privileges via a crafted local procedure call (LPC) request. Sudhir Gandhe INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2000 Microsoft Office 2002 Microsoft Office XP Unspecified vulnerability in Microsoft Office 2000 SP3, Office XP SP3, Office 2003 SP2, and Office 2004 for Mac allows remote attackers to execute arbitrary code via an Office document that contains a malformed object, related to a "memory handling error," aka "Microsoft Office Execution Jump Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-plugins is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtksourceview-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory openSUSE Factory Package gxdview-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:factory Sun Solaris 10 Unspecified vulnerability in the dotoprocs function in Sun Solaris 10 allows local users to cause a denial of service (panic) via unspecified vectors. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Interactive Training The OLE Dialog component in Microsoft Windows 2000 SP4, XP SP2, and 2003 SP1 allows user-assisted remote attackers to execute arbitrary code via an RTF file with a malformed OLE object that triggers memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk1-compat-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtk-sharp-gapi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Internet Explorer Use-after-free vulnerability in Microsoft Internet Explorer 6 SP1, 6 SP2, and and 7 allows remote attackers to execute arbitrary code by assigning malformed values to certain properties, as demonstrated using the by property of an animateMotion SVG element, aka "Property Memory Corruption Vulnerability." Sudhir Gandhe DRAFT Robert L. Hollis Sudhir Gandhe ACCEPTED ACCEPTED openSUSE 10.2 openSUSE Factory Package gutenprint-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtk2-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 X.Org Xserver before 1.4.1 allows local users to determine the existence of arbitrary files via a filename argument in the -sp option to the X program, which produces different error messages depending on whether the filename exists. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED openSUSE 10.2 openSUSE Factory Package gtkcard is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gwc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista IIS Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows local users to gain privileges via unknown vectors related to file change notifications in the TPRoot, NNTPFile\Root, or WWWRoot folders. Jeff Ito DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Visual Basic 6.0 Heap-based buffer overflow in Object Linking and Embedding (OLE) Automation in Microsoft Windows 2000 SP4, XP SP2, Server 2003 SP1 and SP2, Vista, Office 2004 for Mac, and Visual basic 6.0 SP6 allows remote attackers to execute arbitrary code via a crafted script request. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-xfce-engine-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtkhtml is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gstreamer010-plugins-good is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Heap-based buffer overflow in the WebDAV Mini-Redirector in Microsoft Windows XP SP2, Server 2003 SP1 and SP2, and Vista allows remote attackers to execute arbitrary code via a crafted WebDAV response. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Flash Player Microsoft Excel allows user-assisted attackers to execute arbitrary javascript and redirect users to arbitrary sites via an Excel spreadsheet with an embedded Shockwave Flash Player ActiveX Object, which is automatically executed when the user opens the spreadsheet. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk2-engines-32bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtktalog-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows Vista The application Microsoft IIS 7.0 is installed. Jeff Ito DRAFT INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gurlchecker is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 openSUSE Factory Package gtkpod is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk1-compat is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Server 10 openSUSE Factory Package gup is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkzip-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Unspecified vulnerability in the kernel in Microsoft Windows XP SP2, Server 2003, and Vista allows remote attackers to cause a denial of service (CPU consumption) and possibly execute arbitrary code via crafted (1) IGMPv3 and (2) MLDv2 packets that trigger memory corruption, aka "Windows Kernel TCP/IP/IGMPv3 and MLDv2 Vulnerability." Sudhir Gandhe INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000 through 2004 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors. NOTE: this is a different vulnerability than CVE-2006-3086. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 10 inetd on Sun Solaris 10, when debug logging is enabled, allows local users to write to arbitrary files via a symlink attack on the /var/tmp/inetd.log temporary file. Pai Peng DRAFT DRAFT openSUSE Factory Package gtk-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gucharmap-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-plugins-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkhtml-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Windows Media Player Buffer overflow in the Windows Media Format Runtime in Microsoft Windows Media Player (WMP) 6.4 and Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted Advanced Systems Format (ASF) file. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gstreamer010-plugins-good-extra is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gstreamer010-plugins-base-visual is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 openSUSE Factory Package gstreamer010-plugins-ugly-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk2-32bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-plugins-64bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Indexing Service Cross-site scripting (XSS) vulnerability in the Indexing Service in Microsoft Windows 2000, XP, and Server 2003, when the Encoding option is set to Auto Select, allows remote attackers to inject arbitrary web script or HTML via a UTF-7 encoded URL, which is injected into an error message whose charset is set to UTF-7. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkam-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gstreamer010 is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtkglarea is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 openSUSE Factory Package gwenhywfar-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtetrinet-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED SUSE Linux 10.1 openSUSE Factory Package gstreamer010-plugins-base-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gstreamer010-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Sun Solaris 10 Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtktalog is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 openSUSE Factory Package gstreamer010-plugins-base-32bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 openSUSE Factory Package gsynaptics is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gthumb-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-plugins-extra is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2000 Microsoft Office 2002 Microsoft Visual Studio .NET 2002 Microsoft Visual Studio .NET 2003 Unspecified vulnerability in certain COM objects in Microsoft Office Web Components 2000 allows user-assisted remote attackers to execute arbitrary code via vectors related to DataSource that trigger memory corruption, aka "Office Web Components DataSource Vulnerability." Sudhir Gandhe DRAFT Sudhir Gandhe Sudhir Gandhe INTERIM INTERIM SUSE Linux 10.1 openSUSE Factory Package gtkpbbuttons-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-xfce-engine is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkmm24-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtkiterm is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-qt-engine-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gstreamer010-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gurlchecker-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-64bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2003 wkcvqd01.dll in Microsoft Works 6 File Converter, as used in Office 2003 SP2, Works 8.0, and Works Suite 2005, allows remote attackers to execute arbitrary code via a .wps file with crafted section length headers, aka "Microsoft Works File Converter Input Validation Vulnerability." Jeff Ito DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 IIS Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.1 through 6.0 allows remote attackers to execute arbitrary code via crafted inputs to ASP pages. Jeff Ito DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Windows Shell Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gthumb is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Publisher 2000 Microsoft Publisher 2002 Microsoft Publisher 2003 Unspecified vulnerability in Microsoft Office Publisher 2000, 2002, and 2003 SP2 allows remote attackers to execute arbitrary code via a crafted .pub file, related to invalid "memory values," aka "Publisher Invalid Memory Reference Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 openSUSE Factory Package gstreamer010-plugins-bad is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 SUSE Linux Enterprise Server 10 openSUSE Factory Package gtk-engines is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory openSUSE Factory Package gspcav-kmp-debug is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jeff Ito INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtk-sharp2-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtklp-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE Factory Package gspcav is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:factory Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package gtk-qt-engine is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gsmlib-devel is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 openSUSE Factory Package grass is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:desktop cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000 SP3, and Office for Mac 2004 and 2008 allows user-assisted remote attackers to execute arbitrary code via a crafted .SLK file that is not properly handled when importing the file, aka "Excel File Import Vulnerability." Sudhir Gandhe Sudhir Gandhe Sudhir Gandhe Sudhir Gandhe INTERIM INTERIM SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gstreamer-plugins-32bit is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory Sun Solaris 9 Solaris 9, with Solaris Auditing enabled and certain patches for sshd installed, can generate audit records with an audit-ID of 0 even when the user logging into ssh is not root, which makes it easier for attackers to avoid detection and can make it more difficult to conduct forensics activities. Nicholas Hansen DRAFT INTERIM ACCEPTED ACCEPTED SUSE Linux 10.0 SUSE Linux 10.1 openSUSE Factory Package gtk-sharp-debuginfo is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:opensuse:factory openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Server 10 openSUSE Factory Package gxdview is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10:server cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Unspecified vulnerability in Microsoft Word allows user-assisted remote attackers to execute arbitrary code on Word 2000, and cause a denial of service on Word 2003, via unknown attack vectors that trigger memory corruption, as exploited by Trojan.Mdropper.W and later by Trojan.Mdropper.X, a different issue than CVE-2006-6456, CVE-2006-5994, and CVE-2006-6561. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED openSUSE Factory Package gtkspell-doc is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:factory Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Unspecified vulnerability in Microsoft Outlook in Office 2000 SP3, XP SP3, 2003 SP2 and Sp3, and Office System allows user-assisted remote attackers to execute arbitrary code via a crafted mailto URI. Sudhir Gandhe DRAFT Sudhir Gandhe INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Outlook 2000 is installed. Sudhir Gandhe DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Outlook 2003 is installed. Sudhir Gandhe DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Microsoft Outlook 2002 is installed. Sudhir Gandhe DRAFT INTERIM INTERIM