Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 4 Jan 2012 18:30:49 +0100
From: Moritz Muehlenhoff <jmm@...ian.org>
To: Kurt Seifried <kseifrie@...hat.com>
Cc: oss-security@...ts.openwall.com,
	Craig Barratt <cbarratt@...rs.sourceforge.net>,
	cve-assign@...re.org, security@...ntu.com
Subject: Re: CVE Request: Security issue in backuppc

On Tue, Jan 03, 2012 at 02:21:08PM -0700, Kurt Seifried wrote:
> On 01/03/2012 12:55 PM, Moritz Mühlenhoff wrote:
> > On Thu, Oct 27, 2011 at 04:00:48PM -0500, Jamie Strandboge wrote:
> >> Hi Craig,
> >>
> >> While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
> >> another XSS vulnerability in View.pm when accessing the following URLs
> >> in backuppc:
> >> index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
> >> index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>
> >>
> >> You are being emailed as the upstream contact. Please keep
> >> oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.
> >>
> >> To oss-security, can I have a CVE for this? It is essentially the same
> >> vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
> >> of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
> >> 3.0.0, 3.1.0, 3.2.0 and 3.2.1.
> > *ping*
> >
> > This hasn't ended up in a CVE assignment.
> >
> > Cheers,
> >         Moritz
> I believe as per ADT4 these issues should be merged into the existing
> CVE-2011-3361:
>
> ADT4:
> 
> At this stage, X and Y are the same bug type, affect the same versions,
> and affect the same products.
> 
> Do X and Y have any of the following characteristics?
> 
>     X appears in a different DLL, library, or program than Y (e.g. X
> affects LIB1.DLL and Y affects LIB2.DLL)
>     X has more serious impact than Y (e.g. code execution as root versus
> leak of system pathname)
>     X takes a different input parameter/argument than Y (e.g. SQL
> injection in both the "user" and "password" parameters)
>     X is exploitable locally, but Y is not.
>     X requires stronger authentication than Y.
>     X can be exploited by a certain user that Y can not (e.g. a guest
> user vs. an admin)
> 
>     Yes: MERGE them. These characteristics are irrelevant for CVE.

I don't have a strong opinion on this, but does this policy really make
sense if only X was tracked by a CVE for over half a year?

There might just as well be people, who addressed CVE-2011-3361 under
the impression that only X needs to be fixed and which will miss Y
if Y is folded into CVE-2011-3361.

Cheers,
        Moritz


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ