Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Secunia Research: Lotus Notes Folio Flat File Parsing Buffer Overflows
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Thu, 17 Apr 2008 23:58:09 +0300 (EEST)

When examining advisory SA28209
it points to reports listing vulnerabilities in several products and versions (Verity KeyView Viewer SDK 7.x, 8.x, and 
9.x) etc.

Secunia's Web site lists advisories by a specific product too, see

I believe this is the reason of several advisories.


Erik Harrison <eharrison () gmail com> wrote: 
Its not always easy to know what libs all of your apps are using. Unless of
course you're managing a small set of systems, have a lot of time, or are
particularly godlike at what you do. I think it's great that they identify
the software using it. Frankly, if I'm in an enterprise environment running
Lotus for some god awful reason, that's going to get my attention more than
one of its libraries.

Yes, it does inflate their stats on number of vuln advisories published in a
year, but whatever - I don't care about that. What's the better way to deal
with it? Try and push one advisory listing 1000 apps affected in its
content? Even then, you're not going to have a accurate list. I think it
-is- better to publish one advisory per affected piece of software. When I'm
skimming the 100 or so that hit my inbox every day, I don't have the luxury
of opening each one. Unfortunate, but that's reality of most security staff.

It's only going to get worse. Reporting is going to increase and threats are
going to apply to far more products inheriting the same code. What's the
best, most scalable way of dealing with this? Anyone have any ideas on that

On Tue, Apr 15, 2008 at 10:20 AM, Luigi Auriemma <aluigi () autistici org>

Autonomy Keyview Folio Flat File Parsing Buffer Overflows
Autonomy Keyview Applix Graphics Parsing Vulnerabilities
Autonomy Keyview EML Reader Buffer Overflows
activePDF DocConverter Folio Flat File Parsing Buffer Overflows
activePDF DocConverter Applix Graphics Parsing Vulnerabilities
Lotus Notes Applix Graphics Parsing Vulnerabilities
Lotus Notes Folio Flat File Parsing Buffer Overflows
Lotus Notes EML Reader Buffer Overflows
Lotus Notes kvdocve.dll Path Processing Buffer Overflow
Lotus Notes htmsr.dll Buffer Overflows
Symantec Mail Security Folio Flat File Parsing Buffer Overflows
Symantec Mail Security Applix Graphics Parsing Vulnerabilities

12 mails for the same library?

From what I have understood all the bugs are just in this Autonomy
Keyview library so in my opinion reporting the same identical bugs in
each software which uses this thirdy part component and additionally
without saying that the problem in reality is in the library is wrong
and leads to a lot of confusion.

It's just like if someone finds a bug in zlib and releases 10000
advisories, one for each program in the world which uses the library...
the bug is not in these 10000 programs but only in zlib.

Luigi Auriemma

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]