CVE
- Id
- 2966
- CVE No.
- CVE-2001-0145
- Status
- Candidate
- Description
- Buffer overflow in VCard handler in Outlook 2000 and 98, and Outlook Express 5.x, allows an attacker to execute arbitrary commands via a malformed vCard birthday field.
- Phase
- Proposed (20010404)
- Votes
- ACCEPT(4) Baker, Balinsky, Cole, Wall | MODIFY(1) Frech | REVIEWING(3) Bishop, Christey, Ziese
- Comments
- Christey> In a post to Bugtraq, Joel Moses notes that this is a | duplicate of CVE-2000-0756: | http://marc.theaimsgroup.com/?l=bugtraq&m=98322714210100&w=2 | | As of this writing, it is not certain which candidate | should be preferred: the candidate that has been publicly | known longer (i.e. CVE-2000-0756), or the more "official" | candidate, which has probably been publicized more (i.e. | CVE-2001-0145). | Balinsky> It seems that this is a more specific case of | CVE-2000-0756. The reference for 2000-0756 states that there is a | buffer overflow in the birthday AND the e-mail field, as well as other | suspected fields. As this current candidate only addresses the | birthday field, it seems that there are likely different lines of code | involved. | Microsoft is not specific about what specifically the patch | addresses. It is possible that the other overflows in 2000-0756 are | still vulnerable and that the @stake group just didn"t bother to test | them. | We will not know the answer until someone retests those other | fields to see if they are still vulnerable. | If they are, then 2000-0756 might deserve being split up. | Frech> XF:outlook-vcard-dos(5175) | Christey> Consider adding BID:2459
