Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 29 Aug 2017 14:46:22 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security <oss-security@...ts.openwall.com>
Subject: A bunch of duplicate CVEs requested for?? bho..

Hi all.

In the last time there are some people that run afl for fuzzing...that's just 
fine and great. Some people miss to communicate their findings to upstream and 
request a CVE from mitre.
However I'm noticing that every day there are new duplicates, let me post some 
examples:

1) posted by owl337 on the redhat bugzilla, found by me months ago:

https://nvd.nist.gov/vuln/detail/CVE-2017-13753 duplicate of:
https://nvd.nist.gov/vuln/detail/CVE-2016-9396



The other recent examples here: http://i.imgur.com/q8g9SQi.png

2) Other duplicates are filed from qflb.wu which posts on full-disclosure.
http://seclists.org/fulldisclosure/2017/Jul/author.html
See about lame/mpg123/libmad
Some CVEs about lame was issued, also there are an high number of 
vulnerabilities never confirmed by upstream nor posted on their bug tracking 
system. Yes, sometimes I receive emails that say that the bug is not 
reproducible but I'm always trying to help to reproduce. Instead some report 
says: "If you want the poc please contact me at $email"

How to avoid to file duplicate? for the example number 1 just checking here:
https://marc.info/?l=oss-security&w=2&r=1&s=JPC_NOMINALGAIN&q=b
https://nvd.nist.gov/vuln/search/results?
adv_search=false&form_type=basic&results_type=overview&search_type=all&query=JPC_NOMINALGAIN


Another strange thing, time ago I discovered an FPE in lame, which happens 
only in the command-line tool:
https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/

After digging I discovered it was already reported by Brian Carpenter here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777159 which says:

"fortunately, this is all in the frontend code in
frontend/get_audio.c:parse_wave_header() and not in the library"

At the time I filed the CVE request I failed too see that it is not suitable 
for a CVE, follow what mitre said about:
"There is no CVE ID for this. Even if a web site runs the lame
command-line tool, a divide-by-zero error does not have any
availability impact for the web service, because the crash would occur
in an independent process."

Great..fine..that was my bad, but months later we have:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
"There is a division-by-zero vulnerability in LAME 3.99.5, caused by a 
malformed input file."
which points to:
https://sourceforge.net/p/lame/bugs/460/
Fortunately the author shared the poc and the password.

I'm providing (http://i.imgur.com/GDWnHRM.png) a screenshot md5sum-included to 
demonstrate that the issues are identically.


Does someone know:
1) How to avoid that CVE duplicates are issued?
2) Why the same issue was considered not-suitable and months later suitable 
for a CVE?

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ