[VIM] GraceNote CDDBControl (CVE-2006-3134) = CDDBAOLControl (CVE-2006-6442)

Art Manion amanion at cert.org
Thu Dec 14 10:37:53 EST 2006

--On December 11, 2006 18:27:29 -0500 "Steven M. Christey" 
<coley at mitre.org> wrote:

> 3com's Zero Day Initiative has notified CVE that Secunia's recent
> announcement of a CDDBControlAOL.CDDBAOLControl overflow
> (CVE-2006-6442, SECUNIA:23043) is the same issue as originally
> reported by ZDI for Gracenote CDDBControl ActiveX Control
> (CVE-2006-3134).  Gracenote is the original vendor; this control is
> used in multiple products from different vendors.  Regarding the
> discrepancy in minor details - "option string" in CVE-2006-3134
> vs. "client ID" parameter in CVE-2006-6442 - ZDI says that they are
> the same.
> CVE is treating these as duplicates.  Since CVE-2006-3134 is more
> authoritative (with a vendor CONFIRM) and more established (being
> around since June), we will be using CVE-2006-3134 and marking
> CVE-2006-6442 as a duplicate.  Current CVE descriptions and references
> are included below for historical purposes.

FWIW, one of our analysts is very technically close to the issue and 
confirms they are the same thing.  Multiple vendors use/ship the GraceNote 
control, including AOL.


We're pointing to CVE-2006-3134.

 - Art

More information about the VIM mailing list