Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Jun 2010 16:14:39 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Panu Matilainen <pmatilai@...hat.com>,
        Jindrich Novy <jnovy@...hat.com>, Florian Festi <ffesti@...hat.com>,
        Matt McCutchen <matt@...tmccutchen.net>
Subject: Re: CVE Request -- rpm -- Fails to remove the SUID/SGID
 bits on package upgrade (RH BZ#598775)


On Thu, 3 Jun 2010, Josh Bressers wrote:

> I'm going to give both of these the same CVE id. The issues are very
> related, and I had look at the CWE guide, they both seem to fall under
> "CWE-281: Improper Preservation of Permissions"
>
> Steve, feel free to overrule me on this one.

At a low level of granularity, it can be overkill to distinguish between 
closely-related flaw types.

The factor of concern here is that Red Hat bug 598775 suggests that the 
first variant was committed to a changeset, but not the second.  I can't 
(quickly) assess whether upstream committed changes for both variants, but 
if there's only a commit for the first one (and a public release), then 
maybe we consider these bugs as "almost-but-not-quite the same version" 
and assign a separate CVE.

We also use time lag between disclosures as a splitter, but these were 
more-or-less within a 24-hour period, which we typically treat as "same 
day."

This is fuzzy on both vuln type and version... I defer to others who can 
shed more insight on the question of whether these versions are different 
enough.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ