Date: Tue, 6 Mar 2012 21:42:39 +0100 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Cc: agomez@...idsignal.com, Kurt Seifried <kseifried@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org> Subject: Re: Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 On Tue, 6 Mar 2012 09:31:10 -0500 Andres Gomez wrote: > 2012/3/5 Kurt Seifried <kseifried@...hat.com> > > > Would you consider tham to be the same code base or a different code > > base? If the same code base, share the CVE, if different code > > bases, new CVE for it. Steve: do we have a policy for "Fresh" forks > > as it were? > > Well, Speed Dreams started with TORCS code base, but they have added > a lot new code, so I would say that right now they have different > code base, although they still share a big portion of the code (as > the vulnerable section). Because of that I would consider It needs a > new CVE number, could you assign one to it? :) Their code bases may differ significantly in other parts, but it seems the affected vulnerable code is still identical between the two. Following are versions shortly before fixes got committed: http://torcs.cvs.sourceforge.net/viewvc/torcs/torcs/torcs/src/modules/graphic/ssggraph/grsound.cpp?revision=188.8.131.52&view=markup http://speed-dreams.svn.sourceforge.net/viewvc/speed-dreams/trunk/src/modules/graphic/ssggraph/grsound.cpp?revision=4146&view=markup In cases like this, same CVE is used for all project that use / embed the same affected code. -- Tomas Hoger / Red Hat Security Response Team
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ