[VIM] CVE Dupes: 2007-4418 and 2005-2073 and CVE-2007-1089

security curmudgeon jericho at attrition.org
Wed Apr 30 20:20:14 UTC 2008


Normally I mail these directly to Steve, but I am sharing this as a 
cautionary tale for dealing with IBM vulnerabilities. OSVDB had dupes as a 
result of this (independant of CVE) mess as well. The root cause is IBM 
releasing a changelog with vague details, with different APAR numbers for 
the same issue, then later making the APAR details public.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2073

Changelog:
http://www-1.ibm.com/support/docview.wss?uid=swg21209727

APAR:
http://www-1.ibm.com/support/docview.wss?uid=swg1IY73104

This was a vague issue from a changelog, and the APAR was not open at the 
time, so we only had a few words to go off of.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-4418

Changelog:
http://www-1.ibm.com/support/docview.wss?uid=swg21255352

APAR:
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940

Same thing, the changelog was there with a vague idea, but the APAR wasn't 
open or available.

This CVE (2007-4418) also says it may be a duplicate to CVE 2007-1089.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1089

No changelog but this APAR:
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25941

Now, look at these APARs:

http://www-1.ibm.com/support/docview.wss?uid=swg1IY73104
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940
http://www-1.ibm.com/support/docview.wss?uid=swg1JR25941

25940 and 25941 are linked to each other (so CVE 2007-4418 and CVE 
2007-0189 are dupe), but neither references 73104. However, all three 
APARs are the same issue, most of the APAR vulnerability description is 
the same.

Long story short, IBM needs to get their act together as they are only 
hurting themselves as VDBs create extra entries for the same issue, giving 
the impression that their products are more vulnerable than they really 
are.



More information about the VIM mailing list