Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 9 Jul 2016 12:35:27 -0400
From: Glenn Randers-Pehrson <glennrp@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: On anonymous CVE assignments

On Fri, Jul 8, 2016 at 3:43 PM, Glenn Randers-Pehrson <glennrp@...il.com>
wrote:

> *CVE*-*2016*-*3751*(H)
>
> On Fri, Jul 8, 2016 at 9:55 AM, Kurt Seifried <kseifried@...hat.com>
> wrote:
>
>> Also if projects don't like "Surprise" CVEs one way to deal with that is
>> to
>> request the CVE's themselves when they know something is a security
>> vulnerability. Also making it easy to contact them helps, the harder you
>> make it for a security researcher to deal with you, the less likely they
>> are to.
>>
>
> It's hard to do that when a "surprise" CVE was never sent to the project,
> for example  *CVE*-*2016*-*3751*(H) which just appeared in an Android
> security
> bulletin.  It claims that libpng has a bug that allows privilidge
> escalation
> and was reported 3 Dec 2015. I'm guessing that it is a duplicate of
> CVE-2015-8126 or CVE-2015-8472, but it's hard to tell for sure without
> seeing it.  All I've been able to find out is that it is a "reserved" CVE,
> with
> no clue as to who reserved it.
>

I still haven't seen the CVE, but it seems that it is a report against a
fork of libpng, that had fallen several years out-of-date, and the CVE
is just a private catch-all for updating the fork to current libpng status.


> Glenn Randers-Pehrson
> libpng custodian
>
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ