Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 1 Mar 2015 00:59:18 +0100
From: Zubin Mithra <zubin.mithra@...il.com>
To: blinken@...il.com
Cc: cve-assign@...re.org,
 oss-security@...ts.openwall.com
Subject: Re: CVE Request: PuTTY fails to clear private key information from memory

Signed PGP part
Use CVE-2015-2157.

This falls into a narrow set of situations in which a CVE ID can be
assigned even though the issue does not cross privilege boundaries.
The vendor is specifically announcing this as "This is a security
vulnerability." (Also, wiping private-key memory is a conventional
behavior seen in many products. It is not the same as wiping any
memory block that any researcher may feel is sensitive in some way.)

> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html

> However, if you ever told Pageant to delete a key from memory, it
> would not have properly deleted it: it would still have retained a
> copy by mistake due to this bug.

Because of the "this bug" wording, a single CVE ID is assigned.
However, in general, these two cases could be distinguished:

  - violating a user's reasonable expectations about what preemptive
    memory wiping should occur

  - providing a UI feature advertised as a way to tell a product to
    wipe a key from memory, accompanied by actual behavior in which no
    wiping occurs

with separate CVE IDs. In other words, there would be two CVE IDs if
there were two bugs (one for each case) fixed independently.

--
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ