Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 28 Feb 2015 12:37:10 -0500 (EST)
From: cve-assign@...re.org
To: blinken@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: PuTTY fails to clear private key information from memory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use CVE-2015-2157.

This falls into a narrow set of situations in which a CVE ID can be
assigned even though the issue does not cross privilege boundaries.
The vendor is specifically announcing this as "This is a security
vulnerability." (Also, wiping private-key memory is a conventional
behavior seen in many products. It is not the same as wiping any
memory block that any researcher may feel is sensitive in some way.)

> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html

> However, if you ever told Pageant to delete a key from memory, it
> would not have properly deleted it: it would still have retained a
> copy by mistake due to this bug.

Because of the "this bug" wording, a single CVE ID is assigned.
However, in general, these two cases could be distinguished:

  - violating a user's reasonable expectations about what preemptive
    memory wiping should occur

  - providing a UI feature advertised as a way to tell a product to
    wipe a key from memory, accompanied by actual behavior in which no
    wiping occurs

with separate CVE IDs. In other words, there would be two CVE IDs if
there were two bugs (one for each case) fixed independently.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU8fxVAAoJEKllVAevmvmsPEAIAI+BEhf4vgQeJ0DUdXbbYRsH
gJHqdlKZSMrPsu3TKKkahVLwifZaijJvMqTItzvZOPJQ5/E5Wv2CfHZxWiJYDSwq
JEszf1IUAA0trny8h8wDtj8sAbDG5m/yTYEIp68bp/zxn/1g7ti9arzBjZXQUmpM
3HAJE8l2ajIwRgtq3TJagTJ8uFpMb9qh1fXmL5SoMP8y/dfRPgT0IntIQtg3LzgB
RLPFpY+6Ftk1GSK7ZcamWt1CSnk/UPWjKCbpqTWa6z4HNdcNuO6CFwpMLH/e3P2t
pTFlLW+z6pxTmPAfkB9mspAR2vGVyfbBMpktxwpUTSNtkxemfC8RAU60WvRyOHc=
=aQwW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.