[VIM] GraceNote CDDBControl (CVE-2006-3134) = CDDBAOLControl (CVE-2006-6442)
Steven M. Christey
coley at mitre.org
Mon Dec 11 18:27:29 EST 2006
3com's Zero Day Initiative has notified CVE that Secunia's recent
announcement of a CDDBControlAOL.CDDBAOLControl overflow
(CVE-2006-6442, SECUNIA:23043) is the same issue as originally
reported by ZDI for Gracenote CDDBControl ActiveX Control
(CVE-2006-3134). Gracenote is the original vendor; this control is
used in multiple products from different vendors. Regarding the
discrepancy in minor details - "option string" in CVE-2006-3134
vs. "client ID" parameter in CVE-2006-6442 - ZDI says that they are
the same.
CVE is treating these as duplicates. Since CVE-2006-3134 is more
authoritative (with a vendor CONFIRM) and more established (being
around since June), we will be using CVE-2006-3134 and marking
CVE-2006-6442 as a duplicate. Current CVE descriptions and references
are included below for historical purposes.
- Steve
======================================================
Name: CVE-2006-3134
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3134
Reference: FULLDISC:20060627 ZDI-06-019: GraceNote CDDBControl ActiveX Buffer Overflow Vulnerability
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/047420.html
Reference: MISC:http://www.zerodayinitiative.com/advisories/ZDI-06-019.html
Reference: MISC:http://europe.nokia.com/nokia/0,,93034,00.html
Reference: CONFIRM:http://www.gracenote.com/sec062706/SonySecurityNotification.html
Reference: CERT-VN:VU#701121
Reference: URL:http://www.kb.cert.org/vuls/id/701121
Reference: BID:18678
Reference: URL:http://www.securityfocus.com/bid/18678
Reference: FRSIRT:ADV-2006-2562
Reference: URL:http://www.frsirt.com/english/advisories/2006/2562
Reference: FRSIRT:ADV-2006-2563
Reference: URL:http://www.frsirt.com/english/advisories/2006/2563
Reference: OSVDB:26874
Reference: URL:http://www.osvdb.org/26874
Reference: SECTRACK:1016389
Reference: URL:http://securitytracker.com/id?1016389
Reference: SECUNIA:20861
Reference: URL:http://secunia.com/advisories/20861
Reference: SECUNIA:20862
Reference: URL:http://secunia.com/advisories/20862
Reference: XF:gracenote-cddb-activex-bo(27416)
Reference: URL:http://xforce.iss.net/xforce/xfdb/27416
Buffer overflow in GraceNote CDDBControl ActiveX Control, as used by
multiple products that use Gracenote CDDB, allows remote attackers to
execute arbitrary code via a long option string.
======================================================
Name: CVE-2006-6442
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6442
Reference: MISC:http://secunia.com/secunia_research/2006-69/advisory/
Reference: BID:21488
Reference: URL:http://www.securityfocus.com/bid/21488
Reference: FRSIRT:ADV-2006-4904
Reference: URL:http://www.frsirt.com/english/advisories/2006/4904
Reference: SECUNIA:23043
Reference: URL:http://secunia.com/advisories/23043
Stack-based buffer overflow in the SetClientInfo function in the
CDDBControlAOL.CDDBAOLControl ActiveX control (cddbcontrol.dll), as
used in America Online (AOL) 7.0 4114.563, 8.0 4129.230, and 9.0
Security Edition 4156.910, and possibly other products, allows remote
attackers to execute arbitrary code via a long ClientId argument.
More information about the VIM
mailing list