[VIM] windows clarity

Steven M. Christey coley at linus.mitre.org
Thu May 12 15:17:33 EDT 2005

Here's my original inquiry to MSRC.

I proposed creating separate CANs since they were separate issues, and
MSRC responded to confirm this.

- Steve

-----Original Message-----
From: Steven M. Christey [mailto:coley at mitre.org]
Sent: Tuesday, February 01, 2005 4:06 PM
To: Microsoft Security Response Center
Cc: coley at mitre.org
Subject: Clarification requested on CAN-2004-1049/MS05-002 ANI issue(s)


MS:MS05-002 discusses a "Cursor and Icon Format Handling Vulnerability"
and credits eEye, but also uses the CAN-2004-1049 reference, which is
for an xfocus-discovered issue.

Issue 1) The xfocus-reported issue is for an integer overflow in the
         LoadImage function.

         BUGTRAQ:20041223 Microsoft Windows LoadImage API Integer
                          Buffer overflow

Issue 2) The eEye-reported issue specifically involves manipulating
         the "Length_of_AnimationHeader" field, whose value is "not
         checked appropriately," however it's not an integer overflow
         (since eEye would be smart enough to label it as such)

         eEye further explicitly states "This vulnerability is a
         separate vulnerability from the ones discovered by Xfocus."

         BUGTRAQ:20050111 EEYE: Windows ANI File Parsing Buffer Overflow


By directly crediting eEye in MS05-002, but implicitly linking to the
xfocus issue in CAN-2004-1049, it seems to me that MS05-002 is covering
2 separate but closely related issues.

If this is the case, then I will update CAN-2004-1049 so that its
description mentions BOTH issues, and links to BOTH advisories.

Please confirm that this is the appropriate action.  The alternative
would be to create a separate candidate for the eEye issue, but that
doesn't seem like the proper way to go; since both issues involve the
same general type of vulnerability, I'd prefer that they stay combined.


More information about the VIM mailing list