Date: Sat, 28 Feb 2015 12:37:10 -0500 (EST) From: cve-assign@...re.org To: blinken@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: PuTTY fails to clear private key information from memory -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Use CVE-2015-2157. This falls into a narrow set of situations in which a CVE ID can be assigned even though the issue does not cross privilege boundaries. The vendor is specifically announcing this as "This is a security vulnerability." (Also, wiping private-key memory is a conventional behavior seen in many products. It is not the same as wiping any memory block that any researcher may feel is sensitive in some way.) > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html > However, if you ever told Pageant to delete a key from memory, it > would not have properly deleted it: it would still have retained a > copy by mistake due to this bug. Because of the "this bug" wording, a single CVE ID is assigned. However, in general, these two cases could be distinguished: - violating a user's reasonable expectations about what preemptive memory wiping should occur - providing a UI feature advertised as a way to tell a product to wipe a key from memory, accompanied by actual behavior in which no wiping occurs with separate CVE IDs. In other words, there would be two CVE IDs if there were two bugs (one for each case) fixed independently. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJU8fxVAAoJEKllVAevmvmsPEAIAI+BEhf4vgQeJ0DUdXbbYRsH gJHqdlKZSMrPsu3TKKkahVLwifZaijJvMqTItzvZOPJQ5/E5Wv2CfHZxWiJYDSwq JEszf1IUAA0trny8h8wDtj8sAbDG5m/yTYEIp68bp/zxn/1g7ti9arzBjZXQUmpM 3HAJE8l2ajIwRgtq3TJagTJ8uFpMb9qh1fXmL5SoMP8y/dfRPgT0IntIQtg3LzgB RLPFpY+6Ftk1GSK7ZcamWt1CSnk/UPWjKCbpqTWa6z4HNdcNuO6CFwpMLH/e3P2t pTFlLW+z6pxTmPAfkB9mspAR2vGVyfbBMpktxwpUTSNtkxemfC8RAU60WvRyOHc= =aQwW -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ