MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase

To: cve-review@linus.mitre.org
Subject: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 22 Jun 1999 17:21:40 -0400 (EDT)

All:

The following 25 candidates have been moved to the MODIFICATION phase.
They represent the bulk of the CERT cluster that I haven't made a
Final Decision on yet.  I have defined a MODIFY-01 cluster to hold
these vulnerabilities.

I expect to move these candidates to Interim Decision by Friday June
25, barring any issues raised by the Editorial Board; so I expect to
make a Final Decision on these by 6/30.

1) I have changed the candidates slightly to reflect board members'
comments.  These changes are explicitly noted in the candidate list.

2) Editorial Board members need to re-vote for these candidates.  In
the next email, I will list people's votes for the original
candidates.

3) I've changed the format of the candidate list slightly.  It
includes the dates of each phase for the candidate, and a specific
line for you to fill in your vote.  Please list your vote on the VOTE:
line after each candidate, and reply with the full text.  I know this
takes up bytes, but I've been tallying votes manually and I'm getting
concerned about making some mistakes.  I hope to refine this process
as time goes on.

4) Most of the modifications involve adding references to the X-Force
database; some involve minor changes to the description text.


Thanks,
- Steve



Summary of votes to use (in ascending order of "severity"):

ACCEPT - member accepts the candidate as proposed
NOOP - member has no opinion on the candidate
MODIFY - member wants to change some minor detail (e.g. reference/description)
REVIEWING - member is reviewing/researching the candidate
RECAST - candidate must be significantly modified, e.g. split or merged
REJECT - candidate is "not a vulnerability", or a duplicate, etc.

Please write your vote on the line that starts with "VOTE: ".  If you
want to add comments or details, add them to lines after the VOTE: line.


=================================
Candidate: CAN-1999-0003
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:aix-ttdbserver
Reference: XF:tooltalk
Reference: CERT:CA-98.11.tooltalk
Reference: NAI:NAI-29
Reference: SGI:19981101-01-A
Reference: SGI:19981101-01-PX

Execute commands as root via buffer overflow in Tooltalk database
server (rpc.ttdbserverd)

Modifications:
  ADDREF XF:aix-ttdbserver
  ADDREF XF:tooltalk

VOTE: 

=================================
Candidate: CAN-1999-0004
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-98.10.mime_buffer_overflows
Reference: XF:outlook-long-name
Reference: SUN:00175

MIME buffer overflow in email clients, e.g. Solaris mailtool
and Outlook.

Modifications:
  ADDREF MS:MS98-008
  DESC include Outlook

VOTE: 

=================================
Candidate: CAN-1999-0018
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.26.statd
Reference: XF:statd
Reference: AUSCERT:AA-97.29

Buffer overflow in statd allows root privileges.

Modifications:
  DESC remove CERT advisory from text

VOTE: 

=================================
Candidate: CAN-1999-0035
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ftp-ftpd
Reference: CERT:CA-97.16.ftpd
Reference: AUSCERT:AA-97.03

Race condition in signal handling routine in ftpd, allowing read/write
arbitrary files.

Modifications:
  ADDREF XF:ftp-ftpd

VOTE: 

=================================
Candidate: CAN-1999-0046
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-97.06.rlogin-term
Reference: XF:rlogin-termbo

Buffer overflow of rlogin program using TERM environmental variable

Modifications:
  DELREF XF:bsdi-rlogind
  ADDREF XF:rlogin-termbo

VOTE: 

=================================
Candidate: CAN-1999-0049
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sgi-csetup
Reference: CERT:CA-97.03.csetup

Csetup under IRIX allows arbitrary file creation or overwriting.

Modifications:
  ADDREF XF:sgi-csetup

VOTE: 

=================================
Candidate: CAN-1999-0051
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sgi-licensemanager
Reference: CERT:CA-97.01.flex_lm
Reference: AUSCERT:AA-96.03

Arbitrary file creation and program execution using FLEXlm
LicenseManager, from versions 4.0 to 5.0, in IRIX.

Modifications:
  ADDREF XF:sgi-licensemanager

VOTE: 

=================================
Candidate: CAN-1999-0078
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-96.08.pcnfsd
Reference: XF:rpc-pcnfsd

pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions,
or execute arbitrary commands through arguments in the RPC call.

Modifications:
  DELREF XF:nfs-pcnfsd

VOTE: 

=================================
Candidate: CAN-1999-0099
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: CERT:CA-95.13.syslog.vul
Reference: XF:smtp-syslog

A buffer overflow in the syslog utility allows remote execution
through Sendmail and possibly other mail servers.

Modifications:
  DESC could be through other mailers besides Sendmail

VOTE: 

=================================
Candidate: CAN-1999-0117
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ibm-passwd
Reference: CERT:CA-92:07.AIX.passwd.vulnerability

AIX passwd allows local users to gain root access.

Modifications:
  ADDREF XF:ibm-passwd

VOTE: 

=================================
Candidate: CAN-1999-0128
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.

Modifications:
  ADDREF XF:ping-death
  COMMENT Andre's other suggested ref's were for a buffer overflow
  COMMENT in the ping program, which is a different vulnerability.
  DESC slight wording change to identify this as Ping o' Death *only*

VOTE: 

=================================
Candidate: CAN-1999-0130
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sendmail-daemon-mode
Reference: CERT:CA-96.24.sendmail.daemon.mode

Local users can start Sendmail in daemon mode and gain root privileges.

Modifications:
  ADDREF XF:sendmail-daemon-mode

VOTE: 

=================================
Candidate: CAN-1999-0131
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:smtp-875bo
Reference: CERT:CA-96.20.sendmail_vul

Buffer overflow and denial of service in Sendmail 8.7.5 and
earlier through GECOS field gives root access to local users.

Modifications:
  ADDREF XF:smtp-875bo

VOTE: 

=================================
Candidate: CAN-1999-0132
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:expreserve
Reference: CERT:CA-96.19.expreserve
Reference: XF:expreserve

Expreserve, used in vi and ex, allows local users to overwrite
arbitrary files and gain root access.

Modifications:
  ADDREF XF:expreserve

VOTE: 

=================================
Candidate: CAN-1999-0134
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sol-voldtmp
Reference: CERT:CA-96.17.Solaris_vold_vul
Reference: AUSCERT:AL-96.04

vold in Solaris 2.x allows local users to gain root access

Modifications:
  ADDREF XF:sol-voldtmp

VOTE: 

=================================
Candidate: CAN-1999-0135
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sun-admintool
Reference: CERT:CA-96.16.Solaris_admintool_vul
Reference: AUSCERT:AL-96.03

admintool in Solaris allows a local user to write to arbitrary files
and gain root access.

Modifications:
  ADDREF XF:sun-admintool

VOTE: 

=================================
Candidate: CAN-1999-0136
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sol-KCMSvuln
Reference: AUSCERT:AL-96.02
Reference: CERT:CA-96.15.Solaris_KCMS_vul

Kodak Color Management System (KCMS) on Solaris allows a local user to
write to arbitrary files and gain root access.

Modifications:
  ADDREF XF:sol-KCMSvuln

VOTE: 

=================================
Candidate: CAN-1999-0137
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:linux-dipbo
Reference: CERT:CA-96.13.dip_vul
Reference: XF:dip-bo

The dip program on many Linux systems allows local users to gain root
access via a buffer overflow.

Modifications:
  ADDREF XF:linux-dipbo

VOTE: 

=================================
Candidate: CAN-1999-0141
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:http-java-applet
Reference: CERT:CA-96.07.java_bytecode_verifier
Reference: SUN:00134

Java Bytecode Verifier allowed malicious applets to execute
arbitrary commands as the user of the applet.

Modifications:
  ADDREF XF:http-java-applet

VOTE: 

=================================
Candidate: CAN-1999-0155
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:gscript-dsafer
Reference: CERT:CA-95.10.ghostscript

The ghostscript command with the -dSAFER option allows remote
attackers to execute commands.

Modifications:
  ADDREF XF:gscript-dsafer

VOTE: 

=================================
Candidate: CAN-1999-0164
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:sol-pstmprace
Reference: AUSCERT:AA-95.07
Reference: CERT:CA-95.09.Solaris.ps.vul

A race condition in the Solaris ps command allows an attacker to
overwrite critical files.

Modifications:
  ADDREF XF:sol-pstmprace

VOTE: 

=================================
Candidate: CAN-1999-0208
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:rpc-update
Reference: CERT:CA-95.17.rpc.ypupdated.vul

rpc.ypupdated (NIS) allowed remote users to execute arbitrary commands.

Modifications:
  ADDREF XF:rpc-update

VOTE: 

=================================
Candidate: CAN-1999-0209
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:selsvc
Reference: CERT:CA-90.05.sunselection.vulnerability

The SunView (SunTools) selection_svc facility allows remote users to
read files.

Modifications:
  ADDREF XF:selsvc

VOTE: 

=================================
Candidate: CAN-1999-0267
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:http-port
Reference: CERT:CA-95.04.NCSA.http.daemon.for.unix.vulnerability

Buffer overflow in NCSA HTTP daemon v1.3 allowed remote command execution.

Modifications:
  ADDREF XF:http-port

VOTE: 

=================================
Candidate: CAN-1999-0277
Published: 
Final-Decision: 
Interim-Decision: 
Modified: 19990621-01
Announced: 19990607
Assigned: 19990607
Category: SF
Reference: XF:workman
Reference: CERT:CA-96.23.workman_vul

The WorkMan program can be used to overwrite any file to get root access.

Modifications:
  ADDREF XF:workman

VOTE:
Prev by Date: Final Decision: 23 ACCEPTed candidates
Next by Date: MODIFY-01 cluster: summary of past votes
Prev by thread: Final Decision: 23 ACCEPTed candidates
Next by thread: Re: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase
Index(es):
- Date
- Thread