Re: [Full-disclosure] CORE-2008-0126: Multiple vulnerabilities in iCal

From: "Steven M. Christey" <coley@xxxxxxxxxxxxxxx>
Date: Wed, 28 May 2008 09:58:46 -0400 (EDT)

On Tue, 27 May 2008, security curmudgeon wrote:

No mention of CVE-2008-1035 in the [CORE] advisory other than the header
CVE name reference. BID seems to have split the three vulnerabilities,
but given two of them the same CVE. CVE does not have descriptions open
yet.

The descriptions are below - for CVE-2008-2006, we merged on the rough
criteria of "insufficient validation of a length field".

Could someone from CORE, SecurityFocus or CVE confirm if CVE-2008-1035 is
supposed to be in the mix, and if CVE-2008-2006 does correspond to two
of the vulnerabilities listed?

CVE-2008-2006 intentionally corresponds to both.

I am not sure where CORE got CVE-2008-1035 from - that number was part of
a pool of numbers that were allocated to Apple, for them to assign
to issues in Apple products (this makes them effectively a CNA; see
http://cve.mitre.org/cve/cna.html for more info).

CORE obtained CVE-2008-2006 and CVE-2008-2007 directly from MITRE. It's
most likely that during CORE's collaboration with Apple, Apple might have
given them CVE-2008-1035 from Apple's own pool, to cover one or more of
those issues. This type of "reservation duplicate" happens periodically
when both researcher/coordinator and vendor use CVEs. BUT - this is just
a guess, either CORE or Apple would need to provide a more concrete
answer. We are currently keeping CVE-2008-1035 blank until there's more
clarity.

- Steve

======================================================
Name: CVE-2008-2006
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2006
Reference: BUGTRAQ:20080521 CORE-2008-0126: Multiple vulnerabilities in iCal
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/492414/100/0/threaded
Reference: MISC:http://www.coresecurity.com/?action=item&id=2219
Reference: BID:28632
Reference: URL:http://www.securityfocus.com/bid/28632
Reference: BID:28629
Reference: URL:http://www.securityfocus.com/bid/28629
Reference: FRSIRT:ADV-2008-1601
Reference: URL:http://www.frsirt.com/english/advisories/2008/1601

Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and
user-assisted remote attackers, to cause a denial of service (NULL
pointer dereference and application crash) or possibly execute
arbitrary code via a .ics file containing (1) a large 16-bit integer
on a TRIGGER line, or (2) a large integer in a COUNT field on an RRULE
line. NOTE: this might be a duplicate of CVE-2008-1035.

======================================================
Name: CVE-2008-2007
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2007
Reference: BUGTRAQ:20080521 CORE-2008-0126: Multiple vulnerabilities in iCal
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/492414/100/0/threaded
Reference: MISC:http://www.coresecurity.com/?action=item&id=2219
Reference: BID:28633
Reference: URL:http://www.securityfocus.com/bid/28633
Reference: FRSIRT:ADV-2008-1601
Reference: URL:http://www.frsirt.com/english/advisories/2008/1601

Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, and
user-assisted remote attackers, to trigger memory corruption or
possibly execute arbitrary code via an "ATTACH;VALUE=URI:S=osumi" line
in a .ics file, which triggers a "resource liberation" bug.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] CORE-2008-0126: Multiple vulnerabilities in iCal
  - From: Core Security Technologies Advisories
- Re: [Full-disclosure] CORE-2008-0126: Multiple vulnerabilities in iCal
  - From: security curmudgeon

Prev by Date: [Full-disclosure] Cisco Security Advisory: CiscoWorks Common Services Arbitrary Code Execution Vulnerability
Next by Date: [Full-disclosure] [ MDVSA-2008:107 ] - Updated openssl package fixes denial of service vulnerabilities
Previous by thread: Re: [Full-disclosure] CORE-2008-0126: Multiple vulnerabilities in iCal
Next by thread: [Full-disclosure] iDefense Security Advisory 05.21.08: Multiple Vendor Snort IP Fragment TTL Evasion Vulnerability
Index(es):
- Date
- Thread

Relevant Pages

Re: Installed Hard Disk In Dell Vista Machine Today
... was in reference to about the organization of the book. ... and looking at Amazon is says 1568 pages... ... "Not recommended [Fast Format] comes from the Windows Vista Resource Kit ... Apple is being negligent to not suggest doing a FF on a drive not ...
(comp.sys.mac.advocacy)
Re: CORE-2008-0126: Multiple vulnerabilities in iCal
... CVE name reference. ... to issues in Apple products (this makes them effectively a CNA; ... Reference: URL:http://www.securityfocus.com/archive/1/archive/1/492414/100/0/threaded ... Apple iCal 3.0.1 on Mac OS X allows remote CalDAV servers, ...
(Bugtraq)
Re: Class Hierarchy design problems...
... Nick thanks for the input. ... If your container is a Basket and your item is ... an Apple, then the item should not have a Removemethod. ... sense for the Apple to hold a reference to the Basket. ...
(microsoft.public.dotnet.languages.csharp)
Re: Quad G5 Goes Down...
... The G5 processor in general runs hotter than any other ... Show one reference that backs up this claim that you have "Apple ... I don't have to show a reference you idiot. ...
(comp.sys.mac.advocacy)
Re: WeakHashMap question
... > call it Apple. ... > This seems like a good use of WeakHashMap because we would like to ... > collected when the last reference goes away. ... constructor parameter in those cases where it turns out you do need to ...
(comp.lang.java.programmer)