Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jan 2012 18:30:49 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: Kurt Seifried <kseifrie@...hat.com>
Cc: oss-security@...ts.openwall.com,
	Craig Barratt <cbarratt@...rs.sourceforge.net>,
	cve-assign@...re.org, security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On Tue, Jan 03, 2012 at 02:21:08PM -0700, Kurt Seifried wrote:
> On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote:
> > On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
> >> Hi Craig,
> >>
> >> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
> >> another XSS vulnerability in View.pm when accessing the following URLs
> >> in backuppc:
> >> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
> >> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
> >>
> >> You are being emailed as the upstream contact. Please keep
> >> oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.
> >>
> >> To oss-security, can I have a CVE for this? It is essentially the same
> >> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
> >> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
> >> 3.0.0, 3.1.0, 3.2.0 and 3.2.1.
> > *ping*
> >
> > This hasn't ended up in a CVE assignment.
> >
> > Cheers,
> >         Moritz
> I believe as per ADT4 these issues should be merged into the existing
> CVE-2011-3361:
>
> ADT4:
> 
> At this stage, X and Y are the same bug type, affect the same versions,
> and affect the same products.
> 
> Do X and Y have any of the following characteristics?
> 
>     X appears in a different DLL, library, or program than Y (e.g. X
> affects LIB1.DLL and Y affects LIB2.DLL)
>     X has more serious impact than Y (e.g. code execution as root versus
> leak of system pathname)
>     X takes a different input parameter/argument than Y (e.g. SQL
> injection in both the "user" and "password" parameters)
>     X is exploitable locally, but Y is not.
>     X requires stronger authentication than Y.
>     X can be exploited by a certain user that Y can not (e.g. a guest
> user vs. an admin)
> 
>     Yes: MERGE them. These characteristics are irrelevant for CVE.

I don't have a strong opinion on this, but does this policy really make
sense if only X was tracked by a CVE for over half a year?

There might just as well be people, who addressed CVE-2011-3361 under
the impression that only X needs to be fixed and which will miss Y
if Y is folded into CVE-2011-3361.

Cheers,
        Moritz


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.