[VIM] windows clarity

[Steven M. Christey]

On Thu, 12 May 2005, security curmudgeon wrote:

> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1049
>
> links to MS05-002
>
> http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx
>
> links to CAN-2004-1049 and CAN-2004-1305
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0416
>
> links to MS05-002
>
> [..]
>
> MS05-002 doesn't mention CAN-2005-0416 though. does anyone know why?
> looking at the two CVE entries that seem to overlap:
>
> 2004-1049
> Integer overflow in the LoadImage API of the USER32 Lib for Microsoft
> Windows allows remote attackers to execute arbitrary code via a .bmp,
> .cur, .ico or .ani file with a large image size field, which leads to a
> buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."
>
> 2005-0416
> The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000
> through SP4, Windows XP through SP1, and Windows 2003 allows remote
> attackers to execute arbitrary code via the AnimationHeaderBlock length
> field, which leads to a stack-based buffer overflow.
>
>
> Integer overflow vs stack-based overflow. image size field vs
> AnimationHeaderBlock field. are these really two distinct vulns, or
> fundamentally the same library underneath?


Oh, THAT one.

This is one of the good things about VIM!

I spent a couple hours digging deeply into this one, I think after Kurt
Seifried asked me about it.  Reading descriptions of file formats, etc.

It'll take some time to dig up my email response, but they're definitely
distinct bugs, in slightly different places in the file format.  I don't
remember EXACTLY, but I think I privately confirmed with Microsoft that
MS05-002 addressed both of them.

Oh, looks like it didn't take much time at all - yay grep!  I'll forward
it in the next message.

- Steve