lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <28829826.1209291166125495217.JavaMail.juha-matti.laurio@netti.fi>
Date: Thu, 14 Dec 2006 21:44:54 +0200 (EET)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: Gadi Evron <ge@...uxbox.org>, Joxean Koret <joxeankoret@...oo.es>
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	Fuzzing List <fuzzing@...testar.linuxbox.org>, bugtraq@...urityfocus.com
Subject: Re: [fuzzing] NOT a 0day! Re: OWASP Fuzzing page

After the public release we have to accept the fact that the PoC will be possibly accessible outside of exploit sites too.
The overall risk of the issue is increasing.
To confirm the existence of PoC it was listed in several references like
http://www.securityfocus.com/bid/21589/exploit
etc.

The metadata information of 12122006-djtest.doc states the following:

Created: 16th Aug 2006
Author: sarahbl

- Juha-Matti


Gadi Evron <ge@...uxbox.org> wrote: 
> On Tue, 12 Dec 2006, Joxean Koret wrote:
> > 
> > Wow! That's fun! The so called "Word 0 day" flaw also affects
> > OpenOffice.org! At least, 1.1.3. And, oh! Abiword does something cool
> > with the file:
> 
> This is NOT a 0day. It is a disclosed vulnerability in full-disclosure
> mode, on a mailing list (fuzzing mailing list).
> 
> I am not sure why I got this 10 times now, I thought the days of these
> bounces were over. But I am tired of seeing every full-disclosure
> vulnerability called a 0day anymore.
> 
> A 0day, whatever definition you use, is used in the wild before people are
> aware of it.
> 
> 
> > 
> > joxean@...eankoret $ abiword 12122006-djtest.doc
> > 
> > ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> > 
> > ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> > 
> > ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> > 
> > ** (AbiWord-2.2:24313): WARNING **: Invalid seek
> > joxean@...eankoret $ ooffice 12122006-djtest.doc
> > OpenOffice.org lockfile found (/home/joxean/.openoffice/1.1.3/.lock)
> > Using existing OpenOffice.org
> > Application Errorsh: line 1: crash_report: command not found
> > Application Error
> > 
> > Fatal exception: Signal 6

--clip--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ