Date: Wed, 4 Jan 2012 18:30:49 +0100 From: Moritz Muehlenhoff <jmm@...ian.org> To: Kurt Seifried <kseifrie@...hat.com> Cc: oss-security@...ts.openwall.com, Craig Barratt <cbarratt@...rs.sourceforge.net>, cve-assign@...re.org, security@...ntu.com Subject: Re: CVE Request: Security issue in backuppc On Tue, Jan 03, 2012 at 02:21:08PM -0700, Kurt Seifried wrote: > On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote: > > On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote: > >> Hi Craig, > >> > >> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered > >> another XSS vulnerability in View.pm when accessing the following URLs > >> in backuppc: > >> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host> > >> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host> > >> > >> You are being emailed as the upstream contact. Please keep > >> oss-security@...ts.openwall.com CC'd for any updates on this issue. > >> > >> To oss-security, can I have a CVE for this? It is essentially the same > >> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead > >> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on > >> 3.0.0, 3.1.0, 3.2.0 and 3.2.1. > > *ping* > > > > This hasn't ended up in a CVE assignment. > > > > Cheers, > > Moritz > I believe as per ADT4 these issues should be merged into the existing > CVE-2011-3361: > > ADT4: > > At this stage, X and Y are the same bug type, affect the same versions, > and affect the same products. > > Do X and Y have any of the following characteristics? > > X appears in a different DLL, library, or program than Y (e.g. X > affects LIB1.DLL and Y affects LIB2.DLL) > X has more serious impact than Y (e.g. code execution as root versus > leak of system pathname) > X takes a different input parameter/argument than Y (e.g. SQL > injection in both the "user" and "password" parameters) > X is exploitable locally, but Y is not. > X requires stronger authentication than Y. > X can be exploited by a certain user that Y can not (e.g. a guest > user vs. an admin) > > Yes: MERGE them. These characteristics are irrelevant for CVE. I don't have a strong opinion on this, but does this policy really make sense if only X was tracked by a CVE for over half a year? There might just as well be people, who addressed CVE-2011-3361 under the impression that only X needs to be fixed and which will miss Y if Y is folded into CVE-2011-3361. Cheers, Moritz
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ