Date: Sun, 1 Mar 2015 00:59:18 +0100 From: Zubin Mithra <zubin.mithra@...il.com> To: blinken@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: PuTTY fails to clear private key information from memory Signed PGP part Use CVE-2015-2157. This falls into a narrow set of situations in which a CVE ID can be assigned even though the issue does not cross privilege boundaries. The vendor is specifically announcing this as "This is a security vulnerability." (Also, wiping private-key memory is a conventional behavior seen in many products. It is not the same as wiping any memory block that any researcher may feel is sensitive in some way.) > http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html > However, if you ever told Pageant to delete a key from memory, it > would not have properly deleted it: it would still have retained a > copy by mistake due to this bug. Because of the "this bug" wording, a single CVE ID is assigned. However, in general, these two cases could be distinguished: - violating a user's reasonable expectations about what preemptive memory wiping should occur - providing a UI feature advertised as a way to tell a product to wipe a key from memory, accompanied by actual behavior in which no wiping occurs with separate CVE IDs. In other words, there would be two CVE IDs if there were two bugs (one for each case) fixed independently. -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ