Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 2 Jan 2014 14:55:09 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: oss-security@...ts.openwall.com
Subject: Re: Duplicated CVE assignment for bip


Moritz,

These are two slightly different issues, although a casual reading of the 
descriptions does not make that sufficiently clear.

The original CNA assignment of CVE-2013-4550 did not consider that there 
appear to be two different types of issues, which means a SPLIT of the CVE 
ID.

The issues are disclosed in Bug 261 here:

https://projects.duckcorp.org/issues/261

The first issue is that Bip will write to arbitrary sockets when run in 
daemon mode because stderr is closed: "when using SSL (client_side_ssl = 
true), bip will write an error to stderr when the SSL handshake fails. 
However, if it is running as a daemon, stderr will have been closed."

We narrowed the scope of CVE-2013-4550 to this first issue.  Note that 
while the bug was apparently filed and public in 2011, it was given a 
CVE-2013-xxxx ID, but we don't usually reject an ID simply because it is 
out of sync with the disclosure date.  We also didn't see a need to REJECT 
this CVE because of the scope change either, since it's in reasonably wide 
use.

The second issue covers connections that are never closed: "Also, when an 
SSL handshake error occurs, a socket is never closed, but remains in 
CLOSE_WAIT state forever. This happens because a socket that is set to 
have an error will never be closed."

A fix for the first issue would not necessarily guarantee a fix of the 
second issue, and the bugs are of different types.  Therefore the second 
issue is SPLIT from the first.  We assigned CVE-2011-5268 accordingly, 
since at the time of assignment, we knew that 2011 was the disclosure 
date.

When we published these CVEs, we probably should have notified 
oss-security, or at least modified CVE-2011-5268 and CVE-2013-4550's 
descriptions to reflect the close relationships.  I apologize for that.

- Steve


On Thu, 2 Jan 2014, Moritz Muehlenhoff wrote:

> Hi,
> Seems there's a duplicated CVE ID for bip:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 and
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5268 refer
> to the same bugreport.
>
> Since CVE-2013-4550 was used for much longer, CVE-2011-5268 should
> be rejected?
>
> Cheers,
>        Moritz
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ