Date: Thu, 3 Jun 2010 16:14:39 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: "Steven M. Christey" <coley@...us.mitre.org>, Panu Matilainen <pmatilai@...hat.com>, Jindrich Novy <jnovy@...hat.com>, Florian Festi <ffesti@...hat.com>, Matt McCutchen <matt@...tmccutchen.net> Subject: Re: CVE Request -- rpm -- Fails to remove the SUID/SGID bits on package upgrade (RH BZ#598775) On Thu, 3 Jun 2010, Josh Bressers wrote: > I'm going to give both of these the same CVE id. The issues are very > related, and I had look at the CWE guide, they both seem to fall under > "CWE-281: Improper Preservation of Permissions" > > Steve, feel free to overrule me on this one. At a low level of granularity, it can be overkill to distinguish between closely-related flaw types. The factor of concern here is that Red Hat bug 598775 suggests that the first variant was committed to a changeset, but not the second. I can't (quickly) assess whether upstream committed changes for both variants, but if there's only a commit for the first one (and a public release), then maybe we consider these bugs as "almost-but-not-quite the same version" and assign a separate CVE. We also use time lag between disclosures as a splitter, but these were more-or-less within a 24-hour period, which we typically treat as "same day." This is fuzzy on both vuln type and version... I defer to others who can shed more insight on the question of whether these versions are different enough. - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ