The OVAL Repository 5.4 2008-10-01T09:00:29.826-04:00 Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the HrShellOpenWithMonikerDisplayName function in Microsoft Hyperlink Object Library (hlink.dll) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long hyperlink, as demonstrated using an Excel worksheet with a long link in Unicode, aka "Hyperlink COM Object Buffer Overflow Vulnerability." NOTE: this is a different issue than CVE-2006-3059. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 X Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. Jay Beale INTERIM INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 File and Print Sharing File and Print Sharing service in Windows 95, Windows 98, and Windows Me does not properly check the password for a file share, which allows remote attackers to bypass share access controls by sending a 1-byte password that matches the first character of the real password, aka the "Share Level Password" vulnerability. Tiffany Bergeron INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. Jay Beale INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in HP-UX B.11.23 on Itanium platforms allows local users to cause a denial of service due to a "specific stack size." Robert L. Hollis DRAFT Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 MIT Kerberos 5 (krb5) Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 5.01 and 6.0 allow remote attackers to execute arbitrary code via malformed Content-Disposition and Content-Type header fields that cause the application for the spoofed file type to pass the file back to the operating system for handling rather than raise an error message, aka the first variant of the "Content Disposition" vulnerability. Andrew Buttner Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Outlook Express Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. Ingrid Skoog DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. Jay Beale INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 and 7 Beta 2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a certain createTextRange call on a checkbox object, which results in a dereference of an invalid table pointer. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). Jay Beale INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in gopher client for Microsoft Internet Explorer 5.1 through 6.0, Proxy Server 2.0, or ISA Server 2000 allows remote attackers to execute arbitrary code via a gopher:// URL that redirects the user to a real or simulated gopher server that sends a long response. David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6.0 allows remote attackers to read certain files and spoof the URL in the address bar by using the Document.open function to pass information between two frames from different domains, a new variant of the "Frame Domain Verification" vulnerability described in MS:MS01-058/CAN-2001-0874. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. Jay Beale INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 cachefsd Buffer overflow in the fscache_setup function of cachefsd in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long mount argument. David Proulx Brian Soby Brian Soby INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT COM Internet Services Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Jet Database Engine Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. Andrew Buttner INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 does not always return the correct IOleClientSite information when dynamically creating an embedded object, which could cause Internet Explorer to run the object in the wrong security context or zone, and allow remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Data Access Components 2.6 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 MDAC 2.5 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The zone determination function in Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to run scripts in the Local Computer zone by embedding the script in a cookie, aka the "Cookie-based Script Execution" vulnerability. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer Christine Walzer DRAFT Microsoft Windows NT HTML Help Facility Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Procedure Call (RPC) An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT SNMP Memory leak in SNMP agent in Windows NT 4.0 before SP5 allows remote attackers to conduct a denial of service (memory exhaustion) via a large number of queries. Christine Walzer INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted BIFF record with an attacker-controlled array index that is used for a function pointer, aka "Malformed OBJECT record Vulnerability." Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in ASP Server-Side Include Function in IIS 4.0, 5.0 and 5.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via long file names. Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Xsun Unspecified vulnerability in the (1) Xsun and (2) Xprt commands in Solaris 7, 8, 9, and 10 allows local users to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Multiple cross-site scripting (XSS) vulnerabilities in the administrative web pages for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allow remote attackers to execute HTML script as other users through (1) a certain ASP file in the IISHELP virtual directory, or (2) possibly other unknown attack vectors. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll. Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. Christine Walzer INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) The showcode.asp sample file in IIS and Site Server allows remote attackers to read arbitrary files. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) A typographical error in the script source access permissions for Internet Information Server (IIS) 5.0 does not properly exclude .COM files, which allows attackers with only write permissions to upload malicious .COM files, aka "Script Source Access Vulnerability." Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Unknown vulnerability in the hosting process (dllhost.exe) for Microsoft Internet Information Server (IIS) 4.0 through 5.1 allows remote attackers to gain privileges by executing an out of process application that acquires LocalSystem privileges, aka "Out of Process Privilege Elevation." Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the implementation of an HTML directive in mshtml.dll in Internet Explorer 5.5 and 6.0 allows remote attackers to execute arbitrary code via a web page that specifies embedded ActiveX controls in a way that causes 2 Unicode strings to be concatenated. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft ASN.1 Library Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. David Proulx INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code under fewer security restrictions via a malformed web page that requires NetBIOS connectivity, aka "Zone Spoofing through Malformed Web Page" vulnerability. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 allows remote attackers to execute arbitrary code by modifying the Content-Disposition and Content-Type header fields in a way that causes Internet Explorer to believe that the file is safe to open without prompting the user, aka the "File Execution Vulnerability." Tiffany Bergeron INTERIM ACCEPTED INTERIM Harvey Rubinovitz ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and earlier allows remote attackers to obtain the physical location of cached content and open the content in the Local Computer Zone, then use compiled HTML help (.chm) files to execute arbitrary programs. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Harvey Rubinovitz ACCEPTED Microsoft Windows Server 2003 Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, and other products, allows user-assisted attackers to execute arbitrary code via an Office file with malformed string that triggers memory corruption related to record lengths, aka "Microsoft Office Parsing Vulnerability," a different vulnerability than CVE-2006-2389. Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Multiple unspecified vulnerabilities in the KSSL kernel module in Sun Solaris 10, when configured with the KSSL proxy, allow remote attackers to cause a denial of service (kernel panic) via unspecified vectors related to "memory buffers" of Secure Socket Layer (SSL) records. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) In IIS, remote attackers can obtain source code for ASP files by appending "::$DATA" to the URL. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Unspecified vulnerability in the IP implementation in Sun Solaris 8 and 9 allows remote attackers to cause a denial of service (CPU consumption) via crafted IP packets, probably related to fragmented packets with duplicate or missing fragments. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 NetWare The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 7 CDE CDE ToolTalk database server (ttdbserver) allows remote attackers to overwrite arbitrary memory locations with a zero, and possibly gain privileges, via a file descriptor argument in an AUTH_UNIX procedure call, which is used as a table index by the _TT_ISCLOSE procedure. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) IIS 5.0 uses relative paths to find system files that will run in-process, which allows local users to gain privileges via a Trojan horse file, aka the "System file listing privilege elevation" vulnerability. Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky DEPRECATED DEPRECATED Microsoft Windows 2000 H.323 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Agent Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux3 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Help and Support Center (HSC) Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. Harvey Rubinovitz Harvey Rubinovitz INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the dynamic tracing framework (DTrace) on Sun Solaris 10 before 20070730 allows local users with PRIV_DTRACE_USER privileges to cause a denial of service (panic or hang) via unspecified use of certain DTrace programs. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 COM Internet Services Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." Christine Walzer Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. Tiffany Bergeron INTERIM Ingrid Skoog ACCEPTED ACCEPTED Sun Solaris 8 libnsl Integer overflow in xdr_array function in RPC servers for operating systems that use libc, glibc, or other code based on SunRPC including dietlibc, allows remote attackers to execute arbitrary code by passing a large number of arguments to xdr_array through RPC services such as rpc.cmsd and dmispd. David Proulx Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Enhanced Metafile (EMF) Windows Metafile (WMF) Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows logon process (winlogon) Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer DRAFT Microsoft Windows 2000 Remote Procedure Call (RPC) A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Descriptor Table (LDT) The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Multiple UNC Provider (MUP) Buffer overflow in Multiple UNC Provider (MUP) in Microsoft Windows operating systems allows local users to cause a denial of service or possibly gain SYSTEM privileges via a long UNC request. Tiffany Bergeron ACCEPTED Microsoft Windows XP Private Communications Transport (PCT) Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Red Hat Enteprise Linux 3 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Secure Sockets Layer (SSL) The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. David Proulx INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Outlook Express The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." Andrew Buttner INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System The Bourne shell (sh) in Solaris 8, 9, and 10 allows local users to cause a denial of service (sh crash) via an unspecified attack vector that causes sh processes to crash during creation of temporary files. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Red Hat 9 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 httpd Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 libxml2 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. Jay Beale Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mozilla Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 OpenSSL The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Matt Busby Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Simple Network Management Protocol (SNMP) Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. Harvey Rubinovitz Jonathan Baker ACCEPTED Red Hat Enterprise Linux 3 Net-SNMP Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. Matt Busby Matt Busby INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the TCP Loopback/Fusion implementation in Sun Solaris 10 allows local users to cause a denial of service (resource exhaustion and service hang) via unspecified vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Apache Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 httpd Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 nfs-utils packages rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 lbxproxy Buffer overflow in Low BandWidth X proxy (lbxproxy) in Solaris 8 allows local users to execute arbitrary code via a long display command line option. David Proulx ACCEPTED Red Hat Linux 9 Linux kernel Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 KDE Personal Information Management (kdepim) Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Tethereal The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 CVS server CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 sysstat The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. Jay Beale Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 tcpdump tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gdk-pixbuf gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. Jay Beale INTERIM Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 MSN Messenger Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. Christine Walzer INTERIM Andrew Buttner ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Outlook Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows Media Services Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. Tiffany Bergeron INTERIM John Hoyland INTERIM John Hoyland Jeff Cheng Jeff Cheng INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Unspecified vulnerability in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 and 2003 SP1, allows remote attackers to execute arbitrary code via unspecified vectors involving unhandled exceptions, memory resident applications, and incorrectly "unloading chained exception." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 Mutt Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Jay Beale ACCEPTED Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 mremap The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Vicam USB driver The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Linux kernel Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Unspecified vulnerability in Low Bandwidth X proxy (lbxproxy) on Sun Solaris 8 through 10 before 20070725 allows local users to read arbitrary files with root group ownership via unknown vectors. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XMLSoft Libxml2 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. Jay Beale Matt Busby Matt Busby INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED Robert L. Hollis DEPRECATED DEPRECATED Red Hat Enterprise Linux 3 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 MicrosoftSQL Server Buffer overflows in Microsoft SQL Server 7.0 and 2000 allow attackers with access to SQL Server to execute arbitrary code through the functions (1) raiserror, (2) formatmessage, or (3) xp_sprintf. NOTE: the C runtime format string vulnerability reported in MS01-060 is identified by CVE-2001-0879. Yi-Fang Koh Ingrid Skoog INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 SUSE Linux 10.1 SUSE Linux 10.0 SUSE Linux Professional 9.3 SUSE Linux Desktop 1.0 SUSE Linux Enterprise Desktop 10 OpenOffice_org1 OpenOffice_org1-ar OpenOffice_org1-ca OpenOffice_org1-cs OpenOffice_org1-da OpenOffice_org1-de OpenOffice_org1-el OpenOffice_org1-en OpenOffice_org1-es OpenOffice_org1-et OpenOffice_org1-fi OpenOffice_org1-fr OpenOffice_org1-gnome OpenOffice_org1-hu OpenOffice_org1-it OpenOffice_org1-ja OpenOffice_org1-kde OpenOffice_org1-ko OpenOffice_org1-nl OpenOffice_org1-pl OpenOffice_org1-pt OpenOffice_org1-ru OpenOffice_org1-sk OpenOffice_org1-sl OpenOffice_org1-sv OpenOffice_org1-tr OpenOffice_org1-zh-CN OpenOffice_org1-zh-TW OpenOffice_org OpenOffice_org-af OpenOffice_org-be-BY OpenOffice_org-bg OpenOffice_org-ca OpenOffice_org-cs OpenOffice_org-cy OpenOffice_org-da OpenOffice_org-de OpenOffice_org-el OpenOffice_org-en OpenOffice_org-en-GB OpenOffice_org-es OpenOffice_org-et OpenOffice_org-fi OpenOffice_org-fr OpenOffice_org-galleries OpenOffice_org-gnome OpenOffice_org-gu-IN OpenOffice_org-hr OpenOffice_org-hu OpenOffice_org-hunspell OpenOffice_org-it OpenOffice_org-ja OpenOffice_org-kde OpenOffice_org-ko OpenOffice_org-mono OpenOffice_org-nb OpenOffice_org-nl OpenOffice_org-nn OpenOffice_org-officebean OpenOffice_org-pa-IN OpenOffice_org-pl OpenOffice_org-pt OpenOffice_org-pt-BR OpenOffice_org-ru OpenOffice_org-sk OpenOffice_org-sl OpenOffice_org-sv OpenOffice_org-tr OpenOffice_org-vi OpenOffice_org-xh OpenOffice_org-zh-CN OpenOffice_org-zh-TW OpenOffice_org-zu Multiple integer overflows in OpenOffice.org (OOo) 2.0.4 and earlier, and possibly other versions before 2.1.0; and StarOffice 6 through 8; allow user-assisted remote attackers to execute arbitrary code via a crafted (a) WMF or (b) EMF file that triggers heap-based buffer overflows in (1) wmf/winwmf.cxx, during processing of META_ESCAPE records; and wmf/enhwmf.cxx, during processing of (2) EMR_POLYPOLYGON and (3) EMR_POLYPOLYGON16 records. Thomas R. Jones DRAFT Jonathan Baker INTERIM ACCEPTED ACCEPTED cpe://novell:linux_desktop:9 cpe://novell:suse_linux:10.1 cpe://novell:suse_linux:10.0 cpe://novell:suse_linux:9.3:pro cpe://novell:suse_linux:1.0:desktop cpe://novell:suse_linux_enterprise:10:desktop cpe:///novell:OpenOffice_org1 cpe:///novell:OpenOffice_org1-ar cpe:///novell:OpenOffice_org1-ca cpe:///novell:OpenOffice_org1-cs cpe:///novell:OpenOffice_org1-da cpe:///novell:OpenOffice_org1-de cpe:///novell:OpenOffice_org1-el cpe:///novell:OpenOffice_org1-en cpe:///novell:OpenOffice_org1-es cpe:///novell:OpenOffice_org1-et cpe:///novell:OpenOffice_org1-fi cpe:///novell:OpenOffice_org1-fr cpe:///novell:OpenOffice_org1-gnome cpe:///novell:OpenOffice_org1-hu cpe:///novell:OpenOffice_org1-it cpe:///novell:OpenOffice_org1-ja cpe:///novell:OpenOffice_org1-kde cpe:///novell:OpenOffice_org1-ko cpe:///novell:OpenOffice_org1-nl cpe:///novell:OpenOffice_org1-pl cpe:///novell:OpenOffice_org1-pt cpe:///novell:OpenOffice_org1-ru cpe:///novell:OpenOffice_org1-sk cpe:///novell:OpenOffice_org1-sl cpe:///novell:OpenOffice_org1-sv cpe:///novell:OpenOffice_org1-tr cpe:///novell:OpenOffice_org1-zh-CN cpe:///novell:OpenOffice_org1-zh-TW cpe:///novell:OpenOffice_org cpe:///novell:OpenOffice_org-af cpe:///novell:OpenOffice_org-be-BY cpe:///novell:OpenOffice_org-bg cpe:///novell:OpenOffice_org-ca cpe:///novell:OpenOffice_org-cs cpe:///novell:OpenOffice_org-cy cpe:///novell:OpenOffice_org-da cpe:///novell:OpenOffice_org-de cpe:///novell:OpenOffice_org-el cpe:///novell:OpenOffice_org-en cpe:///novell:OpenOffice_org-en-GB cpe:///novell:OpenOffice_org-es cpe:///novell:OpenOffice_org-et cpe:///novell:OpenOffice_org-fi cpe:///novell:OpenOffice_org-fr cpe:///novell:OpenOffice_org-galleries cpe:///novell:OpenOffice_org-gnome cpe:///novell:OpenOffice_org-gu-IN cpe:///novell:OpenOffice_org-hr cpe:///novell:OpenOffice_org-hu cpe:///novell:OpenOffice_org-hunspell cpe:///novell:OpenOffice_org-it cpe:///novell:OpenOffice_org-ja cpe:///novell:OpenOffice_org-kde cpe:///novell:OpenOffice_org-ko cpe:///novell:OpenOffice_org-mono cpe:///novell:OpenOffice_org-nb cpe:///novell:OpenOffice_org-nl cpe:///novell:OpenOffice_org-nn cpe:///novell:OpenOffice_org-officebean cpe:///novell:OpenOffice_org-pa-IN cpe:///novell:OpenOffice_org-pl cpe:///novell:OpenOffice_org-pt cpe:///novell:OpenOffice_org-pt-BR cpe:///novell:OpenOffice_org-ru cpe:///novell:OpenOffice_org-sk cpe:///novell:OpenOffice_org-sl cpe:///novell:OpenOffice_org-sv cpe:///novell:OpenOffice_org-tr cpe:///novell:OpenOffice_org-vi cpe:///novell:OpenOffice_org-xh cpe:///novell:OpenOffice_org-zh-CN cpe:///novell:OpenOffice_org-zh-TW cpe:///novell:OpenOffice_org-zu Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-kde is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-nl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-sl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-ja is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-ru is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-sv is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-zh-TW is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-it is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-ko is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-zh-TW is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-da is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-galleries is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-zh-CN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-ja is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-af is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-en is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-ca is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-gnome is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-pt is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-sk is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux 10.0 Package OpenOffice_org-hunspell is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:10.0 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ca is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-pt-BR is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-pa-IN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-sv is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-en-GB is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-fi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-nb is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-el is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-pl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-ar is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-kde is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-sl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-cs is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-hr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-tr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-es is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-it is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-de is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-et is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-et is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-fr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-pt is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ar is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-el is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-nl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop SUSE Linux Professional 9.3 Package OpenOffice_org1-zh-CN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-es is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.1 Package OpenOffice_org-officebean is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-de is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-pl is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-nn is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-xh is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-fi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-be-BY is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-bg is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ru is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-hu is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-cs is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-ko is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-gnome is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-gu-IN is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-cy is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1-tr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro SUSE Linux Professional 9.3 Package OpenOffice_org1-da is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-vi is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 Red Hat Linux 9 mod_python Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Race condition in recursive directory deletion with the (1) -r or (2) -R option in rm in Solaris 8 through 10 before 20070208 allows local users to delete files and directories as the user running rm by moving a low-level directory to a higher level as it is being deleted, which causes rm to chdir to a ".." directory that is higher than expected, possibly up to the root file system, a related issue to CVE-2002-0435. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Samba 3.0.0 and 3.0.1 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 Package OpenOffice_org-zu is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 SUSE Linux Professional 9.3 Package OpenOffice_org1 is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:suse_linux:9.3::pro Red Hat Enterprise Linux 3 PWLib Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mremap The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-sk is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Red Hat Linux 9 KDE Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-hu is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-mono is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Red Hat Linux 9 Midnight Commander Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Novell Linux Desktop 9 openSUSE 10.2 SUSE Linux 10.0 SUSE Linux 10.1 SUSE Linux Enterprise Desktop 10 Package OpenOffice_org-fr is installed. Thomas R. Jones DRAFT INTERIM ACCEPTED ACCEPTED cpe:/o:novell:linux_desktop:9 cpe:/o:novell:opensuse:10.2 cpe:/o:novell:suse_linux:10.0 cpe:/o:novell:suse_linux:10.1 cpe:/o:novell:suse_linux_enterprise:10::desktop Red Hat Linux 9 slocate Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft SQL Server 2000 Vulnerabilities in RPC servers in (1) Microsoft Exchange Server 2000 and earlier, (2) Microsoft SQL Server 2000 and earlier, (3) Windows NT 4.0, and (4) Windows 2000 allow remote attackers to cause a denial of service via malformed inputs. Tiffany Bergeron Jonathan Baker INTERIM Ingrid Skoog ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Gaim Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Operating System COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mailman Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mailman Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Outlook Express Buffer overflow in Microsoft Outlook Express 5.5 and 6 allows remote attackers to execute arbitrary code via a crafted Windows Address Book (WAB) file containing "certain Unicode strings" and modified length values. Robert L. Hollis DRAFT INTERIM ACCEPTED John Hoyland Anna Min INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Mutt Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability in Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other users via an HTTP error page. Tiffany Bergeron ACCEPTED Red Hat Linux 9 XFree86 Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 XFree86 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 netpbm netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 PWLib Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. Jay Beale Matt Busby ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 7 CDE CDE ToolTalk database server (ttdbserver) allows local users to overwrite arbitrary files via a symlink attack on the transaction log file used by the _TT_TRANSACTION RPC procedure. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Unspecified vulnerability in the Server service in Microsoft Windows 2000 SP4, Server 2003 SP1 and earlier, and XP SP2 and earlier allows remote attackers to execute arbitrary code via a crafted packet, aka "SMB Rename Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Buffer overflow in Microsoft Office 2000 SP3, XP SP3, and other versions and packages, allows user-assisted attackers to execute arbitrary code via a routing slip that is longer than specified by the provided length field, as exploited by malware such as TROJ_MDROPPER.BH and Trojan.PPDropper.E in attacks against PowerPoint. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.5 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Windows Script Engine for JScript v5.1 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. Tiffany Bergeron David Proulx INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via a crafted URL with an International Domain Name (IDN) using double-byte character sets (DBCS), aka the "Double Byte Character Parsing Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via by instantiating the (1) Mdt2gddr.dll, (2) Mdt2dd.dll, and (3) Mdt2gddo.dll COM objects as ActiveX controls, which leads to memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 rpc.rwalld Format string vulnerability in RPC wall daemon (rpc.rwalld) for Solaris 2.5.1 through 8 allows remote attackers to execute arbitrary code via format strings in a message that is not properly provided to the syslog function when the wall command cannot be executed. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Jason Spashett INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Unspecified vulnerability in Microsoft Internet Explorer 5.01 through 6 allows remote attackers to execute arbitrary code via certain invalid HTML that causes memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Services for UNIX The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jonathan Baker DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Word 2003 Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Matthew Burton DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice. Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Windows kernel Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. Christine Walzer DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Local Security Authority Subsystem Service (LSASS) LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. Christine Walzer DRAFT INTERIM ACCEPTED Andrew Buttner INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Client Server Runtime System (CSRSS) Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. Ingrid Skoog DRAFT INTERIM Christine Walzer Andrew Buttner ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Data Access Compnents 2.8 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM Jeff Cheng ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Unspecified vulnerability in usermod in HP-UX B.11.00, B.11.11, and B.11.23, when run with certain options that involve a new home directory, might cause usermod to change the ownership of all directories and files under the new directory, which might result in less secure permissions than intended. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Nabil Ouchn ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Anna Min INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to read arbitrary files via malformed requests to the GetObject function, which bypass some of GetObject's security checks. David Proulx ACCEPTED Microsoft Windows Server 2003 Microsoft Color Management Module Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000, 2002, 2003, Viewer 2003, Office 2004 for Mac, and Office v.X for Mac does not properly handle certain opcodes, which allows user-assisted remote attackers to execute arbitrary code via a crafted XLS file, which results in an "Improper Memory Access Vulnerability." NOTE: an early disclosure of this issue used CVE-2006-3432, but only CVE-2007-0028 should be used. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 10 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in remshd daemon in HP-UX B.11.00, B.11.11, and B.11.23 while running in "Trusted Mode" allows remote attackers to gain unauthorized system access via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 gzip Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Stack-based buffer overflow in Microsoft Excel 2000, 2002, and 2003, in Microsoft Office 2000 SP3 and other packages, allows user-assisted attackers to execute arbitrary code via an Excel file with a malformed record with a modified length value, which leads to memory corruption. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft SharePoint Team Services Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Glenn Strickland INTERIM Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 6 allows remote attackers to execute arbitrary code by using JavaScript to cause certain errors simultaneously, which results in the access of previously freed memory, aka "Script Error Handling Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM Matthew Wojcik ACCEPTED ACCEPTED HP-UX 11 Apache The byte-range filter in Apache 2.0 before 2.0.54 allows remote attackers to cause a denial of service (memory consumption) via an HTTP header with a large Range field. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows 2000 smss.exe debugging subsystem in Windows NT and Windows 2000 does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges by duplicating a handle to a privileged process, as demonstrated by DebPloit. Tiffany Bergeron ACCEPTED Red Hat Enterprise Linux 4 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Sun Solaris 9 Access Manager Unspecified vulnerability in Sun Java System Access Manager 7.0 allows local users logged in as "root" to bypass authentication and gain top-level administrator privileges via the amadmin CLI tool. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Heap-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, 2004 for Mac, and v.X for Mac allows user-assisted remote attackers to execute arbitrary code via a BIFF8 spreadsheet with a PALETTE record that contains a large number of entries. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Microsoft Excel 2000 through 2004 allows user-assisted attackers to execute arbitrary code via a .xls file with a crafted LABEL record that triggers memory corruption. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Data Access Compnents 2.7 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. Christine Walzer INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM John Hoyland ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 bzip2 bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer 7 The patch IE7-KB928090-WindowsServer2003-x64-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-016 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Buffer overflow in the Winsock API in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka "Winsock Hostname Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Unspecified vulnerability in Microsoft Word 2000, 2002, and 2003 and Word Viewer 2003 allows remote attackers to execute code via unspecified vectors related to malformed data structures that trigger memory corruption, a different vulnerability than CVE-2006-5994. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Christine Walzer ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Andrew Simmons INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 Gaim Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft FrontPage Server Extensions 2000 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. Tiffany Bergeron Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in Microsoft Office XP and 2003 allows remote user-assisted attackers to execute arbitrary code via a malformed Smart Tag. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 7 dtspcd Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Cross-domain vulnerability in Microsoft Internet Explorer 6.0 allows remote attackers to access restricted information from other domains via an object tag with a data parameter that references a link on the attacker's originating site that specifies a Location HTTP header that references the target site, which then makes that content available through the outerHTML attribute of the object, aka "Redirect Cross-Domain Information Disclosure Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Kerberos Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED HP-UX 11 Apache Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. Tiffany Bergeron Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 4 mozilla Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Perl Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System The ShellAbout API call in Korean Input Method Editor (IME) in Korean versions of Microsoft Windows XP SP1 and SP2, Windows Server 2003 up to SP1, and Office 2003, allows local users to gain privileges by launching the "shell about dialog box" and clicking the "End-User License Agreement" link, which executes Notepad with the privileges of the program that displays the about box. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 8 Sun Solaris 7 Operating System Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating System Buffer overflow in the DNS Client service in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allows remote attackers to execute arbitrary code via a crafted record response. NOTE: while MS06-041 implies that there is a single issue, there are multiple vectors, and likely multiple vulnerabilities, related to (1) a heap-based buffer overflow in a DNS server response to the client, (2) a DNS server response with malformed ATMA records, and (3) a length miscalculation in TXT, HINFO, X25, and ISDN records. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Web Client Service Buffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters. Matthew Burton DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Buffer overflow in the ASP data transfer mechanism in Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to cause a denial of service or execute code, aka "Microsoft-discovered variant of Chunked Encoding buffer overrun." Tiffany Bergeron ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 5.01 and 6 does not properly handle uninitialized COM objects, which allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code, as demonstrated by the Nth function in the DirectAnimation.DATuple ActiveX control, aka "COM Object Instantiation Memory Corruption Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer 7 The patch IE7-KB928090-WindowsServer2003-x64-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-016 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 gftp Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. Jay Beale DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Operating System Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. Robert L. Hollis DRAFT INTERIM ACCEPTED Anna Min INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Hyperlink Object Library The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. Christine Walzer DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Windows Animated Cursor The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. Christine Walzer DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 ImageMagick Heap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM Harvey Rubinovitz ACCEPTED Robert L. Hollis ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft SQL Server 2000 An SQL query method in Microsoft SQL Server 2000 Gold and 7.0 using Mixed Mode allows local database users to gain privileges by reusing a cached connection of the sa administrator account. Yi-Fang Koh ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Flash Player Unspecified vulnerability in Adobe (Macromedia) Flash Player 8.0.24.0 allows remote attackers to execute arbitrary commands via a malformed .swf file that results in "multiple improper memory access" errors. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows Internet Naming Service (WINS) The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. Andrew Buttner INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Operating System Unspecified vulnerability in Sun Solaris 9 and 10 for the x86 platform allows local users to gain privileges or cause a denial of service (panic) via unspecified vectors, possibly involving functions from the mm driver. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 Operating System Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Microsoft Word in Office 2000 SP3, XP SP3, Office 2003 SP2, Works Suite 2004 to 2006, and Office 2004 for Mac does not correctly check the properties of certain documents and warn the user of macro content, which allows user-assisted remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 dtspcd Buffer overflow in the client connection routine of libDtSvc.so.1 in CDE Subprocess Control Service (dtspcd) allows remote attackers to execute arbitrary commands. David Proulx Todd Dolinsky INTERIM ACCEPTED ACCEPTED Sun Solaris 8 kcms_configure kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. David Proulx ACCEPTED Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer Christine Walzer INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Heap-based buffer overflow in T2EMBED.DLL in Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 up to SP1, Windows 98, and Windows ME allows remote attackers to execute arbitrary code via an e-mail message or web page with a crafted Embedded Open Type (EOT) web font that triggers the overflow during decompression. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED Matthew Wojcik INTERIM John Hoyland ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Visual Basic Buffer overflow in Microsoft Visual Basic for Applications (VBA) SDK 6.0 through 6.4, as used by Microsoft Office 2000 SP3, Office XP SP3, Project 2000 SR1, Project 2002 SP1, Access 2000 Runtime SP3, Visio 2002 SP2, and Works Suite 2004 through 2006, allows user-assisted attackers to execute arbitrary code via unspecified document properties that are not verified when VBA is invoked to open documents. Robert L. Hollis DRAFT INTERIM ACCEPTED Clifford Farrugia INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6.0 allows remote attackers to identify the path to the Temporary Internet Files folder and obtain user information such as cookies via certain uses of the OBJECT tag, which are not subjected to the proper security checks, aka "Temporary Internet Files folders Name Reading." Harvey Rubinovitz ACCEPTED ACCEPTED Red Hat Linux 9 Ethereal Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 TIP Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Word for Windows 6.0 Converter Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. Christine Walzer DRAFT INTERIM Jonathan Baker Ingrid Skoog ACCEPTED Robert L. Hollis DEPRECATED Clifford Farrugia DEPRECATED Microsoft Windows XP Microsoft Internet Explorer 7 The patch IE7-KB929969-WindowsXP-x86-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-004 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED Clifford Farrugia INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System Buffer overflow in the Web Client service (WebClnt.dll) for Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote authenticated users or Guests to execute arbitrary code via crafted RPC requests, a different vulnerability than CVE-2005-1207. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows XP Microsoft Internet Explorer Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Agent Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. Harvey Rubinovitz DRAFT Harvey Rubinovitz INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows NT NetDDE Agent NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation." Ingrid Skoog DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 7 Admintool Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer 7 The patch IE7-KB929969-WindowsServer2003-ia64-enu.exe that addresses the vulnerabilities discussed in Microsoft Security Bulletin MS07-004 should be installed. Andrew Buttner DRAFT INTERIM ACCEPTED Clifford Farrugia INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 NetDDE Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. Jonathan Baker DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System Microsoft Windows XP SP1 and SP2, and Server 2003 up to SP1, allows remote attackers to cause a denial of service (hang) via an IGMP packet with an invalid IP option, aka the "IGMP v3 DoS Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The XML parser in Mozilla Firefox before 1.5.0.1 and SeaMonkey before 1.0 allows remote attackers to cause a denial of service (crash) and possibly read sensitive data via unknown attack vectors that trigger an out-of-bounds read. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 postgresql PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability." Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 97 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Matthew Wojcik INTERIM Microsoft Windows 2000 Operating System Unspecified vulnerability in the kernel in Microsoft Windows 2000 SP4, probably a buffer overflow, allows local users to obtain privileges via unspecified vectors involving an "unchecked buffer." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Server 2003 Operating System The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker Jonathan Baker Jonathan Baker Robert L. Hollis ACCEPTED ACCEPTED Sun Solaris 8 Admintool Buffer overflow in admintool in Solaris 2.5 through 8 allows local users to gain root privileges via long arguments to (1) the -d command line option, or (2) the PRODVERS argument in the .cdtoc file. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Windows Media Player Heap-based buffer overflow in the WMCheckURLScheme function in WMVCORE.DLL in Microsoft Windows Media Player (WMP) 10.00.00.4036 on Windows XP SP2, Server 2003, and Server 2003 SP1 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via a long HREF attribute, using an unrecognized protocol, in a REF element in an ASX PlayList file. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 2002 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner DRAFT INTERIM ACCEPTED Ingrid Skoog INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 ypserv ypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 xpdf Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. Jay Beale INTERIM ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Multiple unspecified vulnerabilities in lpsched in Sun Solaris 8, 9, and 10 allow local users to delete arbitrary files or disable the LP print service via unknown attack vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 xinetd Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. Jay Beale INTERIM Jay Beale Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft ASN.1 Library Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. Andrew Buttner INTERIM ACCEPTED ACCEPTED HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Sun Solaris 7 kcms_configure kcms_configure as included with Solaris 7 and 8 allows a local attacker to gain additional privileges via a buffer overflow in a command line argument. David Proulx ACCEPTED HP-UX 11 ftpd wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mikmod Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT MDAC 2.8 The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability." Ingrid Skoog DRAFT INTERIM ACCEPTED Jonathan Baker Jonathan Baker INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED HP-UX 11 Samba Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Windows 2000 In Microsoft Windows NT and Windows 2000, a trusting domain that receives authorization information from a trusted domain does not verify that the trusted domain is authoritative for all listed SIDs, which allows remote attackers to gain Domain Administrator privileges on the trusting domain by injecting SIDs from untrusted domains into the authorization data that comes from from the trusted domain. Tiffany Bergeron Tiffany Bergeron ACCEPTED INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Compressed Folders Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. David Proulx DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office MSO.DLL in Microsoft Office 2000, Office XP (2002), and Office 2003 allows user-assisted attackers to cause a denial of service and execute arbitrary code via multiple attack vectors, as originally demonstrated using a crafted document record with a malformed string, as demonstrated by replacing a certain "01 00 00 00" byte sequence with an "FF FF FF FF" byte sequence, possibly causing an invalid array index, in (1) an Excel .xls document, which triggers an access violation in ole32.dll; (2) an Excel .xlw document, which triggers an access violation in excel.exe; (3) a Word document, which triggers an access violation in mso.dll in winword.exe; and (4) a PowerPoint document, which triggers an access violation in powerpnt.txt. NOTE: after the initial disclosure, this issue was demonstrated by triggering an integer overflow using an inconsistent size for a Unicode "Sheet Name" string. Robert L. Hollis INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Management Console Cross-site scripting (XSS) vulnerability in Internet Explorer 5.01 and 6 in Microsoft Windows 2000 SP4 permits access to local "HTML-embedded resource files" in the Microsoft Management Console (MMC) library, which allows remote authenticated users to execute arbitrary commands, aka "MMC Redirect Cross-Site Scripting Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 mozilla A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. Christine Walzer ACCEPTED Ingrid Skoog INTERIM ACCEPTED Robert L. Hollis INTERIM John Hoyland ACCEPTED ACCEPTED Red Hat Linux 9 vsftpd vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office Unspecified vulnerability in mso.dll in Microsoft Office 2000, XP, and 2003, and Microsoft PowerPoint 2000, XP, and 2003, allows remote user-assisted attackers to execute arbitrary code via a malformed record in a (1) .DOC, (2) .PPT, or (3) .XLS file that triggers memory corruption, related to an "array boundary condition" (possibly an array index overflow), a different vulnerability than CVE-2006-3434, CVE-2006-3650, and CVE-2006-3868. Robert L. Hollis DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 up2date up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Access Service (RAS) Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. Tiffany Bergeron ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". Harvey Rubinovitz DRAFT INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft FrontPage Server Extensions 2002 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM Glenn Strickland Jonathan Baker Jonathan Baker INTERIM Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Outlook Unspecified vulnerability in Microsoft Outlook 2000 through 2003, Exchange 5.0 Server SP2 and 5.5 SP4, Exchange 2000 SP3, and Office allows remote attackers to execute arbitrary code via an e-mail message with a crafted Transport Neutral Encapsulation Format (TNEF) MIME attachment, related to message length validation. Robert L. Hollis DRAFT INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Red Hat Enterprise Linux 3 sysreport sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges. Jay Beale DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Nabil Ouchn INTERIM Matthew Wojcik ACCEPTED Pai Peng INTERIM ACCEPTED ACCEPTED Sun Solaris 7 mibiisa Buffer overflow in the MIB parsing component of mibiisa for Solaris 5.6 through 8 allows remote attackers to gain root privileges. David Proulx ACCEPTED Red Hat Linux 9 unzip Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Operating System The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 swagentd Unspecified vulnerability in swagentd in HP-UX B.11.00, B.11.04, and B.11.11 allows remote attackers to cause a denial of service (application crash) via unspecified vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 SquirrelMail Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2000 Microsoft Office XP Microsoft Office 2003 Microsoft Office Project 2002 Microsoft Office Converter Pack Microsoft Works Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 do not properly parse the length of an Encapsulated PostScript (EPS) file, which allows remote attackers to execute arbitrary code via a crafted EPS file, aka the "Malformed EPS Filter Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Access 2000 Microsoft Access 2002 Microsoft Access 2003 The Microsoft Office Snapshot Viewer ActiveX control in snapview.ocx, as distributed in the standalone Snapshot Viewer and Microsoft Office Access 2000 through 2003, allows remote attackers to download arbitrary files to a client machine via a crafted HTML document or e-mail message. NOTE: this can be leveraged for code execution by writing to a Startup folder. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple memory leaks in Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, and Fedora Directory Server 1.1.1 and earlier allow remote attackers to cause a denial of service (memory consumption) via vectors involving (1) the authentication / bind phase and (2) anonymous LDAP search requests. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows XP Microsoft Windows Vista Apple iTunes Heap-based buffer overflow in iTunes 8.0 allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a long type attribute in a quicktime tag (1) on a web page or embedded in a (2) .mp4 or (3) .mov file. Chandan S DRAFT DRAFT HP-UX 11 Unspecified vulnerability in HP-UX B.11.23, when running IPFilter in combination with PHNE_34474, allows remote attackers to cause a denial of service (system crash) via unspecified vectors. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows ME Microsoft Internet Explorer Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED HP-UX 10 AutoRAID Manager Possible unknown vulnerability or vulnerabilities in HP DiskArray Utilities with AutoRAID Manager. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Remote Access Service (RAS) Buffer overflow in Remote Access Service (RAS) phonebook for Windows NT 4.0, 2000, XP, and Routing and Remote Access Server (RRAS) allows local users to execute arbitrary code by modifying the rasphone.pbk file to use a long dial-up entry. Tiffany Bergeron Jonathan Baker ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 The Event System in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 does not properly validate per-user subscriptions, which allows remote authenticated users to execute arbitrary code via a crafted event subscription request. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED HP-UX 11 Cross-site scripting (XSS) vulnerability in mod_autoindex.c in the Apache HTTP Server before 2.2.6, when the charset on a server-generated page is not defined, allows remote attackers to inject arbitrary web script or HTML via the P parameter using the UTF-7 charset. NOTE: it could be argued that this issue is due to a design limitation of browsers that attempt to perform automatic content type detection. Michael Wood DRAFT INTERIM INTERIM Sun Solaris 9 Sun Solaris 10 OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs. Nicholas Hansen DRAFT INTERIM INTERIM HP-UX 11 The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses, which allows remote HTTP servers to cause a denial of service (memory consumption) via a large number of interim responses. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer The legacy <script> data-island capability for XML in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to read arbitrary XML files, and portions of other files, via a URL whose "src" attribute redirects to a local file. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED HP-UX 11 Red Hat Directory Server 7.1 before SP7, Red Hat Directory Server 8, and Fedora Directory Server 1.1.1 allow remote attackers to cause a denial of service (CPU consumption and search outage) via crafted LDAP search requests with patterns, related to a single-threaded regular-expression subsystem. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Operating System Stack-based buffer overflow in the NetpManageIPCConnect function in the Workstation service (wkssvc.dll) in Microsoft Windows 2000 SP4 and XP SP2 allows remote attackers to execute arbitrary code via NetrJoinDomain2 RPC messages with a long hostname. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Vista through SP1 and Server 2008 do not properly import the default IPsec policy from a Windows Server 2003 domain to a Windows Server 2008 domain, which prevents IPsec rules from being enforced and allows remote attackers to bypass intended access restrictions. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft FrontPage Server Extensions 2000 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Internet Explorer 6 Microsoft Office 2002 Microsoft Office 2003 Microsoft Visio 2000 Microsoft Visual Studio .NET 2005 Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via an image file with crafted gradient sizes in gradient fill input, which triggers a heap-based buffer overflow related to GdiPlus.dll and VGX.DLL, aka "GDI+ VML Buffer Overrun Vulnerability." Sudhir Gandhe DRAFT Todd Dolinsky DRAFT Microsoft Windows Server 2003 Services for UNIX The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. Jonathan Baker DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Internet Explorer 6 Microsoft Office 2002 Microsoft Office 2003 Microsoft Visio 2000 Microsoft Visual Studio .NET 2005 gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 does not properly perform memory allocation, which allows remote attackers to execute arbitrary code via a malformed EMF image file, aka "GDI+ EMF Memory Corruption Vulnerability." Sudhir Gandhe DRAFT Todd Dolinsky DRAFT Microsoft Windows XP Microsoft Windows Vista Apple iTunes Integer overflow in an unspecified third-party driver bundled with Apple iTunes before 8.0 on Windows allows local users to gain privileges via unknown vectors. Chandan S DRAFT DRAFT Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Internet Explorer Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Internet Explorer Microsoft Internet Explorer 5.01, 6, and 7 accesses uninitialized memory in certain conditions, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via vectors related to a document object "appended in a specific order" with "particular functions ... performed on" document objects, aka "HTML Objects Memory Corruption Vulnerability" or "Table Layout Memory Corruption Vulnerability," a different vulnerability than CVE-2008-2257. Sudhir Gandhe DRAFT Dragos Prisaca INTERIM INTERIM HP-UX 11 Buffer overflows and other vulnerabilities in multiple Common Desktop Environment (CDE) modules in HP-UX 10.10 through 11.11 allow attackers to cause a denial of service and possibly gain additional privileges. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2000 Microsoft Office XP Microsoft Office 2003 Microsoft Office Project 2002 Microsoft Office Converter Pack Microsoft Works WPGIMP32.FLT in Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 does not properly parse the length of a WordPerfect Graphics (WPG) file, which allows remote attackers to execute arbitrary code via a crafted WPG file, aka the "WPG Image File Heap Corruption Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Media Encoder Stack-based buffer overflow in the WMEncProfileManager ActiveX control in wmex.dll in Microsoft Windows Media Encoder 9 Series allows remote attackers to execute arbitrary code via a long first argument to the GetDetailsString method, aka "Windows Media Encoder Buffer Overrun Vulnerability." Sudhir Gandhe DRAFT Sudhir Gandhe INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Internet Explorer 6 Microsoft Office 2002 Microsoft Office 2003 Microsoft Visio 2000 Microsoft Visual Studio .NET 2005 Buffer overflow in gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed WMF image file that triggers improper memory allocation, aka "GDI+ WMF Buffer Overrun Vulnerability." Sudhir Gandhe DRAFT Todd Dolinsky DRAFT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Operating Ssytem Heap-based buffer overflow in the Server Service (SRV.SYS driver) in Microsoft Windows 2000 SP4, XP SP1 and SP2, Server 2003 up to SP1, and other products, allows remote attackers to execute arbitrary code via crafted first-class Mailslot messages that triggers memory corruption and bypasses size restrictions on second-class Mailslot messages. Robert L. Hollis INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Admintool Buffer overflow in admintool in Solaris 2.6, 7, and 8 allows local users to gain root privileges via a long media installation path. David Proulx Matthew Wojcik Matthew Wojcik Matthew Wojcik INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 CUPS CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2000 Microsoft Office XP Microsoft Office 2003 Microsoft Office Project 2002 Microsoft Office Converter Pack Microsoft Works Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 do not properly parse the length of a PICT file, which allows remote attackers to execute arbitrary code via a crafted PICT file with an invalid bits_per_pixel field, aka the "PICT Filter Parsing Vulnerability," a different vulnerability than CVE-2008-3018. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Windows Messenger 4.7 Windows Messenger 5.1 An ActiveX control (Messenger.UIAutomation.1) in Windows Messenger 4.7 and 5.1 is marked as safe-for-scripting, which allows remote attackers to control the Messenger application, and "change state," obtain contact information, and establish audio or video connections without notification via unknown vectors. Dragos Prisaca DRAFT INTERIM Dragos Prisaca INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Windows Messenger 4.7 is installed Dragos Prisaca DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 Buffer overflow in tftp in bos.net.tcp.client in IBM AIX 5.2.0 and 5.3.0 allows local users to gain privileges via unspecified vectors. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Internet Explorer 6 Microsoft Office 2002 Microsoft Office 2003 Microsoft Visio 2000 Microsoft Visual Studio .NET 2005 gdiplus.dll in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a malformed GIF image file containing many extension markers for graphic control extensions and subsequent unknown labels, aka "GDI+ GIF Parsing Vulnerability." Sudhir Gandhe DRAFT Todd Dolinsky DRAFT HP-UX 11 Unspecified vulnerability in xterm for HP-UX 11.00, 11.11, and 11.23 allows local users to gain privileges via unknown vectors. Robert L. Hollis DRAFT INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 ftpd.c in (1) wu-ftpd 2.4.2 and (2) ftpd in HP HP-UX B.11.11 assigns uid 0 to the FTP client in certain operating-system misconfigurations in which PAM authentication can succeed even though no passwd entry is available for a user, which allows remote attackers to gain privileges, as demonstrated by a login attempt for an LDAP account when nsswitch.conf does not specify LDAP for passwd information. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Office 2002 Microsoft Office 2003 Microsoft Office 2007 Microsoft Office 2007 Compatibility Pack Microsoft OneNote 2007 Microsoft Office XP SP3, 2003 SP2 and SP3, 2007 Office System Gold and SP1, and Office OneNote 2007 Gold and SP1 allow remote attackers to execute arbitrary code via a crafted onenote:// URL, aka "Uniform Resource Locator Validation Error Vulnerability." Sudhir Gandhe DRAFT INTERIM INTERIM Red Hat Linux 9 Sendmail The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Stack-based buffer overflow in the set_color_table function in sunras.c in the SUNRAS plugin in Gimp 2.2.14 allows user-assisted remote attackers to execute arbitrary code via a crafted RAS file. Pai Peng DRAFT INTERIM INTERIM HP-UX 11 Operating System Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in CDE Print Viewer (dtprintinfo) allows local users to execute arbitrary code by copying text from the clipboard into the Help window. Michael Wood DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Microsoft Excel 2007 Microsoft SharePoint Server 2007 Microsoft Office Excel 2007 Gold and SP1 does not properly delete the PWD (password) string from connections.xml when a .xlsx file is configured not to save the remote data session password, which allows local users to obtain sensitive information and obtain access to a remote data source, aka the "Excel Credential Caching Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP MSN Messenger Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. Christine Walzer DRAFT INTERIM ACCEPTED Robert L. Hollis INTERIM Robert L. Hollis ACCEPTED Jonathan Baker INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED ACCEPTED Cisco IOS The IOS HTTP service in Cisco routers and switches running IOS 11.1 through 12.1 allows remote attackers to cause a denial of service by requesting a URL that contains a %% string. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Microsoft Windows Vista Apple QuickTime Heap-based buffer overflow in Apple QuickTime 7.5.5 (7.55.90.70) allows remote attackers to cause a denial of service (browser crash) or possibly execute arbitrary code via a long type attribute in a quicktime tag (1) on a web page or embedded in a (2) .mp4 or (3) .mov file. Chandan S DRAFT DRAFT IBM AIX 5.2 IBM AIX 5.3 IBM AIX 6.1 swcons in bos.rte.console in IBM AIX 5.2.0 through 6.1.1 allows local users in the system group to create or overwrite an arbitrary file, and establish weak permissions and root ownership for this file, via unspecified vectors. NOTE: this can be leveraged to gain privileges. NOTE: this issue exists because of an incomplete fix for CVE-2007-5805. Michael Wood DRAFT DRAFT HP-UX 11 ftpd The FTP server in HP-UX 10.20, B.11.00, and B.11.11, allows remote attackers to list arbitrary directories as root by running the LIST command before logging in. Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED Todd Dolinsky INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Network News Transport Protocol (NNTP) The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. Christine Walzer DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Heap-based buffer overflow in the InternalOpenColorProfile function in mscms.dll in Microsoft Windows Image Color Management System (MSCMS) in the Image Color Management (ICM) component on Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2 allows remote attackers to execute arbitrary code via a crafted image file. Sudhir Gandhe DRAFT Dragos Prisaca INTERIM INTERIM HP-UX 11 A potential security vulnerability has been identified with HP-UX running rpcbind. The vulnerability could be remotely exploited to create a Denial of Service (DoS) . Michael Wood DRAFT DRAFT Sun Solaris 7 Sun Solaris 8 Sun Solaris 9 Licence Logging Service Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. Brian Soby DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial of service (crash and reload) via a URL containing a "?/" string. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Internet Explorer Microsoft Internet Explorer 6 and 7 does not perform proper "argument validation" during print preview, which allows remote attackers to execute arbitrary code via unknown vectors, aka "HTML Component Handling Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft FrontPage Server Extensions 2000 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. Andrew Buttner Andrew Buttner INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED Glenn Strickland INTERIM ACCEPTED Jonathan Baker INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp before 2.2.12 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property. Pai Peng DRAFT INTERIM INTERIM Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Publisher Stack-based buffer overflow in Microsoft Publisher 2000 through 2003 allows user-assisted remote attackers to execute arbitrary code via a crafted PUB file, which causes an overflow when parsing fonts. Robert L. Hollis DRAFT Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Remote Procedure Call (RPC) The RPC component in Windows 2000, Windows NT 4.0, and Windows XP allows remote attackers to cause a denial of service (disabled RPC service) via a malformed packet to the RPC Endpoint Mapper at TCP port 135, which triggers a null pointer dereference. Tiffany Bergeron Christine Walzer INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2002 Microsoft Word 2003 Microsoft Office Word 2002 SP3 allows remote attackers to execute arbitrary code via a .doc file that contains malformed data, as exploited in the wild in July 2008, and as demonstrated by attachement.doc. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS Firewall Feature set, aka Context Based Access Control (CBAC) or Cisco Secure Integrated Software, for IOS 11.2P through 12.2T does not properly check the IP protocol type, which could allow remote attackers to bypass access control lists. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Outlook Express Microsoft Mail The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Microsoft Office Excel 2000 SP3, 2002 SP3, and 2003 SP2 and SP3; Office Excel Viewer 2003; and Office 2004 and 2008 for Mac do not properly validate index values for AxesSet records when loading Excel files, which allows remote attackers to execute arbitrary code via a crafted Excel file, aka the "Excel Indexing Validation Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple unspecified vulnerabilities in Sun Solaris 8 through 10 allow local users to gain privileges via vectors related to handling of tags with (1) the -t option and (2) the :tag command in the (a) vi, (b) ex, (c) vedit, (d) view, and (e) edit programs. Todd Dolinsky DRAFT DRAFT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Vista Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Office 2002 Microsoft Office 2003 Microsoft Visio 2000 Microsoft Visual Studio .NET 2005 Integer overflow in gdiplus.dll in GDI+ in Microsoft Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a BMP image file with a malformed BitMapInfoHeader that triggers a buffer overflow, aka "GDI+ BMP Integer Overflow Vulnerability." Sudhir Gandhe DRAFT INTERIM INTERIM Microsoft Windows Server 2003 Microsoft Internet Explorer Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. Andrew Buttner Andrew Buttner Andrew Buttner Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Office 2000 Microsoft Office XP Microsoft Office 2003 Microsoft Office Project 2002 Microsoft Office Converter Pack Microsoft Works Microsoft Office 2000 SP3, XP SP3, and 2003 SP2; Office Converter Pack; and Works 8 do not properly parse the length of a PICT file, which allows remote attackers to execute arbitrary code via a crafted PICT file, aka the "Malformed PICT Filter Vulnerability," a different vulnerability than CVE-2008-3021. Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple cross-site scripting (XSS) vulnerabilities in the adminutil library in the Directory Server Administration Express and Directory Server Gateway (DSGW) web interface in Red Hat Directory Server 7.1 before SP7 and 8 EL4 and EL5, and Fedora Directory Server, allow remote attackers to inject arbitrary web script or HTML via input values that use % (percent) escaping. Michael Wood DRAFT INTERIM INTERIM Cisco IOS Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Windows Shell The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. Harvey Rubinovitz DRAFT INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED ACCEPTED Cisco IOS Unspecified vulnerability in Cisco IOS 12.2SXA, SXB, SXD, and SXF; and the MSFC2, MSFC2a and MSFC3 running in Hybrid Mode on Cisco Catalyst 6000, 6500 and Cisco 7600 series systems; allows remote attackers on a local network segment to cause a denial of service (software reload) via a certain MPLS packet. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cross-site scripting (XSS) vulnerability in Cisco IOS Web Server for IOS 12.0(2a) allows remote attackers to inject arbitrary web script or HTML by (1) packets containing HTML that an administrator views via an HTTP interface to the contents of memory buffers, as demonstrated by the URI /level/15/exec/-/buffers/assigned/dump; or (2) sending the router Cisco Discovery Protocol (CDP) packets with HTML payload that an administrator views via the CDP status pages. NOTE: these vectors were originally reported as being associated with the dump and packet options in /level/15/exec/-/show/buffers. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.2E, 12.2F, and 12.2S places a "no login" line into the VTY configuration when an administrator makes certain changes to a (1) VTY/AUX or (2) CONSOLE setting on a device without AAA enabled, which allows remote attackers to bypass authentication and obtain a terminal session, a different vulnerability than CVE-1999-0293 and CVE-2005-2105. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple buffer overflows in the adminutil library in CGI applications in Red Hat Directory Server 7.1 before SP7 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted Accept-Language HTTP header. Michael Wood DRAFT INTERIM INTERIM Cisco IOS Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not properly handle the implicit "deny ip any any" rule in an outgoing ACL when the ACL contains exactly 448 entries, which can allow some outgoing packets to bypass access restrictions. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.1, 12.2, 12.3, and 12.4, with IPv4 UDP services and the IPv6 protocol enabled, allows remote attackers to cause a denial of service (device crash and possible blocked interface) via a crafted IPv6 packet to the device. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 98 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Harvey Rubinovitz INTERIM INTERIM Cisco IOS PPTP implementation in Cisco IOS 12.1 and 12.2 allows remote attackers to cause a denial of service (crash) via a malformed packet. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XE to 12.3T allows remote attackers to bypass IPS signatures that use regular expressions via fragmented packets. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS allows remote attackers to cause a denial of service (crash) via a crafted IPv6 Type 0 Routing header. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in libc on HP HP-UX B.11.23 and B.11.31 allows remote attackers to cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.2T, 12.3 and 12.3T, when using Easy VPN Server XAUTH version 6 authentication, allows remote attackers to bypass authentication via a "malformed packet." Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Unspecified vulnerability in Cisco Unified Communications Manager (CUCM) 5.0, 5.1, and 6.0, and IOS 12.0 through 12.4, allows remote attackers to execute arbitrary code via a malformed SIP packet, aka CSCsi80102. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word 97 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. Andrew Buttner INTERIM ACCEPTED Ingrid Skoog INTERIM Ingrid Skoog Dragos Prisaca INTERIM Cisco IOS Multiple SSH2 servers and clients do not properly handle packets or data elements with incorrect length specifiers, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Multiple SSH2 servers and clients do not properly handle large packets or large fields, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code via buffer overflow attacks, as demonstrated by the SSHredder SSH protocol test suite. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts to process SNMP solicited operations on improper ports (UDP 162 and a randomly chosen UDP port), which allows remote attackers to cause a denial of service (device reload and memory corruption). Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Unspecified vulnerability in Cisco IOS and Cisco IOS XR 12.x up to 12.3, including some versions before 12.3(15) and 12.3(14)T, allows remote attackers to obtain sensitive information (partial packet contents) or cause a denial of service (router or component crash) via crafted IPv6 packets with a Type 0 routing header. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 mozilla Buffer overflow in the International Domain Name (IDN) support in Mozilla Firefox 1.0.6 and earlier, and Netscape 8.0.3.3 and 7.2, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a hostname with all "soft" hyphens (character 0xAD), which is not properly handled by the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec. Robert L. Hollis DRAFT INTERIM ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED Jonathan Baker INTERIM Jonathan Baker ACCEPTED ACCEPTED Cisco IOS Cisco 6400 Access Concentrator Node Route Processor 2 (NRP2) 12.1DC card does not properly disable access when a password has not been set for vtys, which allows remote attackers to obtain access via telnet. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel 2000 Microsoft Excel 2002 Microsoft Excel 2003 Microsoft Excel 2007 Microsoft SharePoint Server 2007 Array index vulnerability in Microsoft Office Excel 2000 SP3 and 2002 SP3, and Office 2004 and 2008 for Mac allows remote attackers to execute arbitrary code via an Excel file with a crafted array index for a FORMAT record, aka the "Excel Index Array Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The TCL shell in Cisco IOS 12.2(14)S before 12.2(14)S16, 12.2(18)S before 12.2(18)S11, and certain other releases before 25 January 2006 does not perform Authentication, Authorization, and Accounting (AAA) command authorization checks, which may allow local users to execute IOS EXEC commands that were prohibited via the AAA configuration, aka Bug ID CSCeh73049. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Land IP denial of service. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The ATOMIC.TCP signature engine in the Intrusion Prevention System (IPS) feature for Cisco IOS 12.4XA, 12.3YA, 12.3T, and other trains allows remote attackers to cause a denial of service (IPS crash and traffic loss) via unspecified manipulations that are not properly handled by the regular expression feature, as demonstrated using the 3123.0 (Netbus Pro Traffic) signature. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The Session Initiation Protocol (SIP) implementation in Alcatel OmniPCX Enterprise 5.0 Lx allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Some classic Cisco IOS devices have a vulnerability in the PPP CHAP authentication to establish unauthorized PPP connections. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The default configuration of IOS HTTP server in Cisco Router Web Setup (CRWS) before 3.3.0 build 31 does not require credentials, which allows remote attackers to access the server with arbitrary privilege levels, aka bug CSCsa78190. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.2 and earlier running Cisco Discovery Protocol (CDP) allows remote attackers to cause a denial of service (memory consumption) via a flood of CDP neighbor announcements. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The data-link switching (DLSw) component in Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device restart or memory consumption) via crafted (1) UDP port 2067 or (2) IP protocol 91 packets. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Internet Explorer Microsoft Internet Explorer 6 and 7 accesses uninitialized memory, which allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors, aka "HTML Object Memory Corruption Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 98 Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Virtual Machine (VM) Two vulnerabilities in Microsoft Virtual Machine (VM) up to and including build 5.0.3805, as used in Internet Explorer and other applications, allow remote attackers to read files via a Java applet with a spoofed location in the CODEBASE parameter in the APPLET tag, possibly due to a parsing error. Tiffany Bergeron INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.1(2)T, 12.1(3)T allow remote attackers to cause a denial of service (reload) via a connection to TCP ports 3100-3999, 5100-5999, 7100-7999 and 10100-10999. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the HP System Administration Manager (SAM) on HP-UX B.11.11 and B.11.23, when used to configure NFS, might allow remote attackers to read or modify arbitrary files, related to an "empty systems list." Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the reply_netbios_packet function in nmbd/nmbd_packets.c in nmbd in Samba 3.0.0 through 3.0.26a, when operating as a WINS server, allows remote attackers to execute arbitrary code via crafted WINS Name Registration requests followed by a WINS Name Query request. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Format string vulnerability in the swask command in HP-UX B.11.11 and possibly other versions allows local users to execute arbitrary code via format string specifiers in the -s argument. NOTE: this might be a duplicate of CVE-2006-2574, but the details relating to CVE-2006-2574 are too vague to be certain. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.0 through 12.2, when supporting SSH, allows remote attackers to cause a denial of service (CPU consumption) via a large packet that was designed to exploit the SSH CRC32 attack detection overflow (CVE-2001-0144). Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Buffer overflow in the kimgio library for KDE 3.4.0 allows remote attackers to execute arbitrary code via a crafted PCX image file. Pai Peng DRAFT INTERIM INTERIM Cisco IOS Cisco IOS 12.0 through 12.4 allows remote attackers to cause a denial of service (device crash) via (1) "abnormal" MGCP messages, aka CSCsd81407; and (2) a large facsimile packet, aka CSCej20505. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows NT Microsoft Internet Information Server (IIS) Cross-site scripting vulnerability for Internet Information Server (IIS) 4.0, 5.0 and 5.1 allows remote attackers to execute arbitrary script as other web users via the error message used in a URL redirect (""302 Object Moved") message. Tiffany Bergeron ACCEPTED Cisco IOS Multiple SSH2 servers and clients do not properly handle strings with null characters in them when the string length is specified by a length field, which could allow remote attackers to cause a denial of service or possibly execute arbitrary code due to interactions with the use of null-terminated strings as implemented using languages such as C, as demonstrated by the SSHredder SSH protocol test suite. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 4.3 Multiple buffer overflows in IBM AIX 4.3 allow remote attackers to cause a denial of service (crash) or possibly gain privileges via a long argument to (1) piox25, related to piox25.c; or (2) piox25remote, related to piox25remote.sh. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Vulnerability in the newgrp program included with HP9000 servers running HP-UX 11.11 allows a local attacker to obtain higher access rights. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in CDE libDtSvc on HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows local users to gain root privileges via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 shar on HP-UX B.11.00, B.11.04, and B.11.11 creates temporary files with predictable names in /tmp, which allows local users to cause a denial of service and possibly execute arbitrary code via a symlink attack. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS SNMPv3 HMAC verification in (1) Net-SNMP 5.2.x before 5.2.4.1, 5.3.x before 5.3.2.1, and 5.4.x before 5.4.1.1; (2) UCD-SNMP; (3) eCos; (4) Juniper Session and Resource Control (SRC) C-series 1.0.0 through 2.0.0; (5) NetApp (aka Network Appliance) Data ONTAP 7.3RC1 and 7.3RC2; (6) SNMP Research before 16.2; (7) multiple Cisco IOS, CatOS, ACE, and Nexus products; and (8) Ingate Firewall 3.1.0 and later and SIParator 3.1.0 and later relies on the client to specify the HMAC length, which makes it easier for remote attackers to bypass SNMP authentication via a length value of 1, which only checks the first byte. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 11.1CC through 12.2 with Cisco Express Forwarding (CEF) enabled includes portions of previous packets in the padding of a MAC level packet when the MAC packet's length is less than the IP level packet length. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflows in HP Software Distributor (SD) for HPUX 10.x and 11.x. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Multiple memory leaks in Cisco IOS 12.0 through 12.4 allow remote attackers to cause a denial of service (device crash) via a malformed SIP packet, aka (1) CSCsf11855, (2) CSCeb21064, (3) CSCse40276, (4) CSCse68355, (5) CSCsf30058, (6) CSCsb24007, and (7) CSCsc60249. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Word Unspecified vulnerability in Microsoft Word 2000, 2002, and Office 2003 allows remote user-assisted attackers to execute arbitrary code via unspecified vectors involving a crafted file resulting in a malformed stack, as exploited by malware with names including Trojan.Mdropper.Q, Mofei, and Femo. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The logins command in HP-UX B.11.31, B.11.23, and B.11.11 does not correctly report password status, which allows remote attackers to obtain privileges when certain "password issues" are not detected. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The RSA Crypto-C before 6.3.1 and Cert-C before 2.8 libraries, as used by RSA BSAFE, multiple Cisco products, and other products, allows remote attackers to cause a denial of service via malformed ASN.1 objects. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Multiple cross-site scripting (XSS) vulnerabilities in HP System Management Homepage (SMH) in HP-UX B.11.11, B.11.23, and B.11.31, and SMH before 2.1.10 for Linux and Windows, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 9 Sun Solaris 10 Integer overflow in the seek_to_and_unpack_pixeldata function in the psd.c plugin in Gimp 2.2.15 allows remote attackers to execute arbitrary code via a crafted PSD file that contains a large (1) width or (2) height value. Pai Peng DRAFT INTERIM INTERIM Cisco IOS The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Internet Explorer Microsoft Internet Explorer 5.01 and 6 does not properly identify the originating domain zone when handling redirects, which allows remote attackers to read cross-domain web pages and possibly execute code via unspecified vectors involving a crafted web page, aka "Source Element Cross-Domain Vulnerability." Robert L. Hollis DRAFT INTERIM ACCEPTED Matthew Wojcik INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco 12000 with IOS 12.0 and line cards based on Engine 2 and earlier allows remote attackers to cause a denial of service (CPU consumption) by flooding the router with traffic that generates a large number of ICMP Unreachable replies. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft PowerPoint Integer overflow in Microsoft PowerPoint Viewer 2003 allows remote attackers to execute arbitrary code via a PowerPoint file with a malformed picture index that triggers memory corruption, related to handling of CString objects, aka "Memory Allocation Vulnerability." Dragos Prisaca DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The Xserver for HP-UX 11.22 was not properly built, which introduced a vulnerability that allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 RLPDaemon in HP-UX 10.20 and 11.0 allows local users to overwrite arbitrary files and gain privileges by specifying the target file in the -L option. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Unspecified vulnerability in the event port implementation in Sun Solaris 10 allows local users to cause a denial of service (panic) by submitting and retrieving user-defined events, probably related to a NULL dereference. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 HP-UX B.11.00, B.11.04, B.11.11, and B.11.23 allows remote attackers to cause a denial of service via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Operating System COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED VMWare ESX Server 3 VMWare ESX Server 2 Buffer overflow in the openwsman management service in VMware ESXi 3.5 and ESX 3.5 allows remote authenticated users to gain privileges via an "invalid Content-Length." Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The "file handling" in sort in HP-UX 10.01 through 10.20, and 11.00 through 11.11 is "incorrect," which allows attackers to gain access or cause a denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.2T through 12.4 allows remote attackers to bypass Authentication, Authorization, and Accounting (AAA) RADIUS authentication, if the fallback method is set to none, via a long username. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco 12000 with IOS 12.0 and line cards based on Engine 2 does not properly filter does not properly filter packet fragments even when the "fragment" keyword is used in an ACL, which allows remote attackers to bypass the intended access controls. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Denial of service in HP-UX SharedX recserv program. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows Workstation Service Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. Tiffany Bergeron ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in X.25 on HP-UX B.11.00, B.11.11, and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood Michael Wood INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the kernel in HP-UX B.11.00, B.11.11, and B.11.23 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.4 and earlier, when using the crypto packages and SSL support is enabled, allows remote attackers to cause a denial of service via a malformed (1) ClientHello, (2) ChangeCipherSpec, or (3) Finished message during an SSL session. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 Multiple buffer overflows in bos.rte.control in IBM AIX 5.2 and 5.3 allow local users to gain privileges via unspecified vectors related to the (1) swap, (2) swapoff, and (3) swapon programs. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 A later variation on the Teardrop IP denial of service attack, a.k.a. Teardrop-2. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 8 Sun Solaris 9 Sun Solaris 10 Multiple format string vulnerabilities in snoop on Sun Solaris 8 through 10 and OpenSolaris before snv_96, when the -o option is omitted, allow remote attackers to execute arbitrary code via format string specifiers in an SMB packet. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS MD5 Neighbor Authentication in Extended Interior Gateway Routing Protocol (EIGRP) 1.2, as implemented in Cisco IOS 11.3 and later, does not include the Message Authentication Code (MAC) in the checksum, which allows remote attackers to sniff message hashes and (1) replay EIGRP HELLO messages or (2) cause a denial of service by sending a large number of spoofed EIGRP neighbor announcements, which results in an ARP storm on the local network. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows ME Microsoft Windows NT Microsoft Windows 2000 Microsoft Windows XP Microsoft Internet Explorer Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. Harvey Rubinovitz DRAFT INTERIM ACCEPTED Christine Walzer INTERIM ACCEPTED John Hoyland INTERIM ACCEPTED Robert L. Hollis INTERIM ACCEPTED Jeff Cheng INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.2T, 12.3 and 12.3T, when processing an ISAKMP profile that specifies XAUTH authentication after Phase 1 negotiation, may not process certain attributes in the ISAKMP profile that specifies XAUTH, which allows remote attackers to bypass XAUTH and move to Phase 2 negotiations. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The NSAPI plugins for TGA and the Java Servlet proxy in HP-UX VVOS 10.24 and 11.04 allows an attacker to cause a denial of service (high CPU utilization). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in rpc.yppasswdd in HP HP-UX B.11.11, B.11.23, and B.11.31 allows remote attackers to cause a denial of service (daemon crash) via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response. Pai Peng DRAFT INTERIM ACCEPTED ACCEPTED Sun Solaris 10 Integer signedness error in the ip_set_srcfilter function in the IP Multicast Filter in uts/common/inet/ip/ip_multi.c in the kernel in Sun Solaris 10 and OpenSolaris before snv_92 allows local users to execute arbitrary code in other Solaris Zones via an SIOCSIPMSFILTER IOCTL request with a large value of the imsf->imsf_numsrc field, which triggers an out-of-bounds write of kernel memory. NOTE: this was reported as an integer overflow, but the root cause involves the bypass of a signed comparison. Todd Dolinsky DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflows in lpspooler in the fileset PrinterMgmt.LP-SPOOL of HP-UX 11.0 and earlier allows local users to gain privileges. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows XP Windows Shell The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. Harvey Rubinovitz DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Implementations of SSH version 1.5, including (1) OpenSSH up to version 2.3.0, (2) AppGate, and (3) ssh-1 up to version 1.2.31, in certain configurations, allow a remote attacker to decrypt and/or alter traffic via a "Bleichenbacher attack" on PKCS#1 version 1.5. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 The June 1999 version of the HP-UX aserver program allows local users to gain privileges by specifying an alternate PATH which aserver uses to find the awk command. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Land IP denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." Jeff Ito DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft PowerPoint A "memory calculation error" in Microsoft PowerPoint Viewer 2003 allows remote attackers to execute arbitrary code via a PowerPoint file with an invalid picture index that triggers memory corruption, aka "Memory Calculation Vulnerability." Dragos Prisaca DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Multiple SSH2 servers and clients do not properly handle lists with empty elements or strings, which may allow remote attackers to cause a denial of service or possibly execute arbitrary code, as demonstrated by the SSHredder SSH protocol test suite. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Internet Explorer Heap-based buffer overflow in the substringData method in Microsoft Internet Explorer 6 and 7 allows remote attackers to execute arbitrary code, related to an unspecified manipulation of a DOM object before a call to this method, aka the "HTML Objects Memory Corruption Vulnerability." Sudhir Gandhe DRAFT INTERIM ACCEPTED ACCEPTED Red Hat Linux 9 Sendmail The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Jay Beale INTERIM Jay Beale ACCEPTED Thomas R. Jones INTERIM ACCEPTED ACCEPTED Cisco IOS Crosscom/Olicom XLT-F running XL 80 IM Version 5.5 Build Level 2 allows a remote attacker SNMP read and write access via a default, undocumented community string 'ILMI'. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS The Data-link Switching (DLSw) feature in Cisco IOS 11.0 through 12.4 allows remote attackers to cause a denial of service (device reload) via "an invalid value in a DLSw message... during the capabilities exchange." Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS Cisco IOS 12.0, 12.1, and 12.2, when GRE IP tunneling is used and the RFC2784 compliance fixes are missing, does not verify the offset field of a GRE packet during decapsulation, which leads to an integer overflow that references data from incorrect memory locations, which allows remote attackers to inject crafted packets into the routing queue, possibly bypassing intended router ACLs. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Cisco IOS TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Buffer overflow in the sw_rpc_agent_init function in swagentd in Software Distributor (SD), and possibly other DCE applications, in HP HP-UX B.11.11 and B.11.23 allows remote attackers to execute arbitrary code or cause a denial of service via malformed arguments in an opcode 0x04 DCE RPC request. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the FTP Daemon (ftpd) for HP Tru64 UNIX 4.0F PK8 and other versions up to HP Tru64 UNIX 5.1B-3, and HP-UX B.11.00, B.11.04, B.11.11, and B.11.23, allows remote authenticated users to cause a denial of service (hang). Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED IBM AIX 5.2 IBM AIX 5.3 Multiple buffer overflows in IBM AIX 5.2 and 5.3 allow local users to gain privileges via unspecified vectors related to the (1) lchangevg, (2) ldeletepv, (3) putlvodm, (4) lvaryoffvg, and (5) lvgenminor programs in bos.rte.lvm; and the (6) tellclvmd program in bos.clvm.enh. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the kernel in HP-UX B.11.00 allows local users to cause an unspecified denial of service via unknown vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with the -v (debug) option enabled, allows remote attackers to execute arbitrary code via a long command request. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 JFS (JFS3.1 and OnlineJFS) in HP-UX 10.20, 11.00, and 11.04 does not properly implement the sticky bit functionality, which could allow attackers to bypass intended restrictions on filesystems. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Excel Unspecified vulnerability in Microsoft Excel 2000, 2002, 2003, 2004 for Mac, v.X for Mac, Excel Viewer 2003, and Microsoft Works Suite 2004 through 2006 allows user-assisted attackers to execute arbitrary code via a crafted DATETIME record in an XLS file, a different vulnerability than CVE-2006-3867 and CVE-2006-3875. Robert L. Hollis DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Internet Explorer The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." David Proulx Christine Walzer INTERIM ACCEPTED ACCEPTED Cisco IOS IP Security VPN Services Module (VPNSM) in Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Routers running IOS before 12.2(17b)SXA, before 12.2(17d)SXB, or before 12.2(14)SY03 could allow remote attackers to cause a denial of service (device crash and reload) via a malformed Internet Key Exchange (IKE) packet. Yuzheng Zhou DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Exchange Server Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified HTML, a different vulnerability than CVE-2008-2247. Jeff Ito DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unspecified vulnerability in the Address and Routing Parameter Area (ARPA) transport software in HP-UX B.11.00, B.11.04, and B.11.11 before 20040628 allows local users to cause a denial of service via unspecified vectors. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 The application Windows Messenger 5.1 is installed Dragos Prisaca DRAFT INTERIM ACCEPTED ACCEPTED HP-UX 11 Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to cause a denial of service. Michael Wood DRAFT INTERIM ACCEPTED ACCEPTED