Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 2 Jan 2014 14:55:09 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: oss-security@...ts.openwall.com
Subject: Re: Duplicated CVE assignment for bip


Moritz,

These are two slightly different issues, although a casual reading of the 
descriptions does not make that sufficiently clear.

The original CNA assignment of CVE-2013-4550 did not consider that there 
appear to be two different types of issues, which means a SPLIT of the CVE 
ID.

The issues are disclosed in Bug 261 here:

https://projects.duckcorp.org/issues/261

The first issue is that Bip will write to arbitrary sockets when run in 
daemon mode because stderr is closed: "when using SSL (client_side_ssl = 
true), bip will write an error to stderr when the SSL handshake fails. 
However, if it is running as a daemon, stderr will have been closed."

We narrowed the scope of CVE-2013-4550 to this first issue.  Note that 
while the bug was apparently filed and public in 2011, it was given a 
CVE-2013-xxxx ID, but we don't usually reject an ID simply because it is 
out of sync with the disclosure date.  We also didn't see a need to REJECT 
this CVE because of the scope change either, since it's in reasonably wide 
use.

The second issue covers connections that are never closed: "Also, when an 
SSL handshake error occurs, a socket is never closed, but remains in 
CLOSE_WAIT state forever. This happens because a socket that is set to 
have an error will never be closed."

A fix for the first issue would not necessarily guarantee a fix of the 
second issue, and the bugs are of different types.  Therefore the second 
issue is SPLIT from the first.  We assigned CVE-2011-5268 accordingly, 
since at the time of assignment, we knew that 2011 was the disclosure 
date.

When we published these CVEs, we probably should have notified 
oss-security, or at least modified CVE-2011-5268 and CVE-2013-4550's 
descriptions to reflect the close relationships.  I apologize for that.

- Steve


On Thu, 2 Jan 2014, Moritz Muehlenhoff wrote:

> Hi,
> Seems there's a duplicated CVE ID for bip:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 and
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5268 refer
> to the same bugreport.
>
> Since CVE-2013-4550 was used for much longer, CVE-2011-5268 should
> be rejected?
>
> Cheers,
>        Moritz
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.