[VIM] GraceNote CDDBControl (CVE-2006-3134) = CDDBAOLControl (CVE-2006-6442)
amanion at cert.org
Thu Dec 14 10:37:53 EST 2006
--On December 11, 2006 18:27:29 -0500 "Steven M. Christey"
<coley at mitre.org> wrote:
> 3com's Zero Day Initiative has notified CVE that Secunia's recent
> announcement of a CDDBControlAOL.CDDBAOLControl overflow
> (CVE-2006-6442, SECUNIA:23043) is the same issue as originally
> reported by ZDI for Gracenote CDDBControl ActiveX Control
> (CVE-2006-3134). Gracenote is the original vendor; this control is
> used in multiple products from different vendors. Regarding the
> discrepancy in minor details - "option string" in CVE-2006-3134
> vs. "client ID" parameter in CVE-2006-6442 - ZDI says that they are
> the same.
> CVE is treating these as duplicates. Since CVE-2006-3134 is more
> authoritative (with a vendor CONFIRM) and more established (being
> around since June), we will be using CVE-2006-3134 and marking
> CVE-2006-6442 as a duplicate. Current CVE descriptions and references
> are included below for historical purposes.
FWIW, one of our analysts is very technically close to the issue and
confirms they are the same thing. Multiple vendors use/ship the GraceNote
control, including AOL.
We're pointing to CVE-2006-3134.
More information about the VIM