[VIM] Helix Server LoadTestPassword Overflow
Steven M. Christey
coley at linus.mitre.org
Fri Mar 23 21:33:01 UTC 2007
On Fri, 23 Mar 2007, George A. Theall wrote:
> Has anyone had a chance to look at the buffer overflow in Helix Server
> covered by Evgeny Legerov (http://gleg.net/helix.txt)? SecurityFocus
> assigned it a new BID (23068) but it looks suspciously like the same
> flaw covered by BID 21141 / CVE-2006-6026 from last November.
I glanced at it too, it looks very similar. Only Leverov can confirm for
sure, I'd bet.
> Oddly, though, the description SecurityFocus has for the earlier BID
> says "The vendor refutes this issue, stating that the report is
> unsubstantiated". Does this mean the vendor (whichever) simply didn't
> have details for an exploit? Legerov claims to have notified the vendor
> in December...
Interestingly, he also says it had been in the pack since February 2006.
This was widely public around November 2006.
Internal CVE notes also suggest that "Helix Server and Helix DNA Server
are not the same. Helix Server is described on realnetworks.com and seems
to require a purchase. Helix DNA Server is described on helixcommunity.org
and seems to allow free source-code downloads after registration."
More information about the VIM