Date: Mon, 30 Jun 2014 17:21:12 -0400 (EDT) From: cve-assign@...re.org To: kseifried@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: changing CVE ID for RH Bugzilla 1098222 (from CVE-2014-0235) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-0235 should have been a completely valid CVE assignment from Red Hat, but it would be extremely problematic to keep it because that ID was accidentally used by Microsoft (typo of CVE-2014-0325) and is in very widespread use for the wrong issue. Can you assign one or more new CVE IDs for Red Hat Bugzilla 1098222 and send the CVE mapping here? We're not sure how many vulnerabilities Red Hat is announcing in 1098222. Was the intention to have only one vulnerability and one CVE for "the code before upstream version 5.19 tried to do regex matches against an arbitrarily large amount of file content"? We realize that https://bugzilla.redhat.com/show_bug.cgi?id=1098222#c5 mentions "This fix is also insufficient" but it appears that all of the discussion of incompleteness of a new fix occurred when 1098222 was embargoed, and also the upstream commit message didn't refer to that first fix as security-related (the upstream commit message was "further optimize awk by not looking for the BEGIN regex ..."). So, this ordinarily wouldn't lead to any extra CVEs. However, we don't know whether Red Hat is announcing any part of https://github.com/file/file/commit/4a284c89d6ef11aca34da65da7d673050a5ea320 as an additional vulnerability that was also fixed in 5.19. If your intention was that everything related to regex matches is a single vulnerability, then only one CVE ID is needed to replace CVE-2014-0235. In a "REJECT" message for CVE-2014-0235, we can indicate the correct per-product CVE IDs for the Internet Explorer and file/CPU-consumption issues. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTsdOYAAoJEKllVAevmvmszXMH/j+hUEgUzlKkiEYn4rzI46P6 +yO/ycoLkPLHwwya9Q5cTA82J9eDz3kbP4sbMfRe8lkE2alU35/YQ7prs4X8dSTJ vlCFxzkQ5Uev4hNcqgZY/tMzhSD6b7WUAZSJo8H9Oaq1MIHiXVWkPmpKk81pjLAb GaWfxA8AIRgQynVbReOBJ9FC9K37kzFGFI90/mcvfBlzs1s7v/Ttax6nuN3TU3Fs C47gTKsKgbYzdTw3+8aZ3ofVULgtB1eN4VlDLqm6gmtHLBJZjGAxetGERhU/W2lN b056qsCtGtW2SZ1JBpXH5MMnzv8cxeR+1G9RXlJ/TeY3V3QxmWwxm8uzJ+jI5j0= =oqaA -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ