Date: Fri, 17 Mar 2017 12:56:55 +0800 From: Thuan Pham <thuanpv@...p.nus.edu.sg> To: Agostino Sarubbo <ago@...too.org> Cc: oss-security@...ts.openwall.com Subject: Re: CVE Request: multiple bugs found in BFD libraries and Binutils' utilities Dear Agostino, Thank you very much for your prompt reply. I will choose the suitable bugs based on your advice and submit to MITRE directly. Many thanks, Thuan On Fri, Mar 17, 2017 at 4:15 AM, Agostino Sarubbo <ago@...too.org> wrote: > On Friday 17 March 2017 00:58:05 Thuan Pham wrote: > > Could you please check whether these bugs are suitable for CVEs? > > Thuan, > thanks for sharing. > > Since few time the cve requests happens on https://cveform.mitre.org > instead > of here. > > From some time of fuzz experience, from multiple cve requests and multiple > feedback from mitre I'd say: > - In any way you are able to crash a library, it needs a cve because it is > supposed to receive multiple inputs. > - Undefined behavior in a library also needs a cve. > - while the bug is in a command line tool: > 1) if it is a simple crash like fpe / segv, it is considered just an > inconvenience. > 2) if it is an overflow with read of size 1 is also considered an > inconveniece > unless you can demostrate any evidence of damage. > The mentioned cases are not just an inconvenience unless there are common > cases where you know that for example a webapp relies on this command line > tool. > 3) if it is an overflow with write access it should have a cve. > > > @everyone, if you think it is wrong or I missed something feel free to > correct > me. > > -- > Agostino Sarubbo > Gentoo Linux Developer >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ