Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 May 2010 14:24:05 -0400
From: Dan Rosenberg <dan.j.rosenberg@...il.com>
To: "Steven M. Christey" <coley@...us.mitre.org>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: lxr

Sorry for not making this explicitly clear.  There are three issues:

1.  XSS in the ident parameter, as described in CVE-2009-4497.

2.  XSS that is reflected via the search results page after issuing a search.

3.  XSS that is reflected via the <title> tag on the search page, as
described in Raphael's original e-mail a few days ago, which Josh just
assigned CVE-2010-1448.

Bugs 1 and 2 were fixed simultaneously, as indicated in the 2010-01-05
changelog entry for LXR:

2010-01-05 18:00  mbox

	* ident, search: Fix for CVE-2009-4497 from Dan Rosenberg

	  Avoid a XSS vulnerability

Bug 3 was fixed a few days later on 2010-01-15, as indicated by:

2010-01-15 23:23  mbox

	* lib/LXR/Common.pm: Fix XSS exploit in title string

So, while my original intent at the time of disclosure was to have a
single CVE identifier assigned to cover all three of these issues,
that obviously did not happen.  As it stands, bugs 1 and 3 have their
own CVE identifiers, and bug 2 remains unassigned.

-Dan

On Thu, May 6, 2010 at 2:11 PM, Steven M. Christey
<coley@...us.mitre.org> wrote:
>
> On Mon, 3 May 2010, Henri Salo wrote:
>
>> On Mon, 3 May 2010 09:31:16 -0400
>> Dan Rosenberg <dan.j.rosenberg@...il.com> wrote:
>>
>> Several XSS-vulnerabilities can have one CVE at least when those
>> vulnerabilities are fixed at the same time.
>
> Another factor is when they are published at the same time.
>
>> Can someone verify what is the policy by the book?
>
> It's never as easy as just a couple rules, unfortunately.  In this case,
> CVE-2009-4497 has been around for a long time, so it's strongly attached to
> *only* the "i" parameter/ident issue.  It's too risky to change the
> fundamental meaning of a CVE after it's been published.  (So even though the
> intention of Dan's original request may have been to cover other issues,
> that's not what it looks like to the public any more.)
>
> Josh assigned CVE-2010-1448 for the search page issue, and now Dan has
> alluded to a third issue that is neither ident nor search page, but we don't
> know what that third issue is.
>
> If Dan's issue is what he calls "a third XSS bug" in
> http://www.openwall.com/lists/oss-security/2010/05/03/7 then I'd want a
> different CVE for it - since it's addressed in a separate "version" than the
> other two XSS bugs.
>
> The crux of the problem here is that the original bug report alluded to
> "several" XSS but only listed the ident issue; our CVE description typically
> might say "multiple XSS, for example this particular vector," but we didn't
> do that... and neither does the vendor specifically indicate that the other
> vaguely-specified issues were actually addressed.
>
> - Steve
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ