[VIM] CVE-2007-4158 == CVE-2007-5553?

Steven M. Christey coley at linus.mitre.org
Mon Dec 3 23:47:08 UTC 2007

Ouch, that's a tough one.  I'm not sure.

These vague pre-advisories are tough for us to handle in CVE.  Advisory 25
probably wasn't available at the time CVE-2007-5553 was created on Oct 18,
but neither did we quote the specific descriptions.

Here's our original notes for CVE-2007-5553:

  ABSTRACTION: This seems to have a different impact than CVE-2007-4161
  and CVE-2007-4158. Also, for CVE-2007-4161, the researcher had already
  made a public announcement of details, so it's unclear why (if the issue
  were the same) the details would be omitted within the 111-Vendor-Alerts
  document. Admittedly, however, the likely discovery timeframe (July
  2007) looks similar.

This does seem to line up with the "Memory Leak vulnerability in TIBCO
Rendezvous RVD daemon" listed on the 111-Vendor-Alerts page though, so I'm
going to call it a dupe.

CVE-2007-4158 will be preserved.

- Steve

On Sun, 2 Dec 2007, George A. Theall wrote:

> Steve or anyone... what is the difference between CVE-2007-4158 and
> CVE-2007-5553? Both involve an unspecified denial of service issue in
> the rvd daemon in TIBCO Rendezvous discovered by IRM, but reading their
> "Security Testing Enterprise Messaging Systems" whitepaper I only find
> one new and unspecified issue. [There is a new degredation of service
> issue, but that's covered by CVE-2007-4161.] Also, I only see one 0-day
> listed for the app under
> <http://www.irmplc.com/index.php/111-Vendor-Alerts>, and that points to
> their Advisory 025.
> George
> --
> theall at tenablesecurity.com

More information about the VIM mailing list