Date: Tue, 29 Aug 2017 14:46:22 +0200 From: Agostino Sarubbo <ago@...too.org> To: oss-security <oss-security@...ts.openwall.com> Subject: A bunch of duplicate CVEs requested for?? bho.. Hi all. In the last time there are some people that run afl for fuzzing...that's just fine and great. Some people miss to communicate their findings to upstream and request a CVE from mitre. However I'm noticing that every day there are new duplicates, let me post some examples: 1) posted by owl337 on the redhat bugzilla, found by me months ago: https://nvd.nist.gov/vuln/detail/CVE-2017-13753 duplicate of: https://nvd.nist.gov/vuln/detail/CVE-2016-9396 The other recent examples here: http://i.imgur.com/q8g9SQi.png 2) Other duplicates are filed from qflb.wu which posts on full-disclosure. http://seclists.org/fulldisclosure/2017/Jul/author.html See about lame/mpg123/libmad Some CVEs about lame was issued, also there are an high number of vulnerabilities never confirmed by upstream nor posted on their bug tracking system. Yes, sometimes I receive emails that say that the bug is not reproducible but I'm always trying to help to reproduce. Instead some report says: "If you want the poc please contact me at $email" How to avoid to file duplicate? for the example number 1 just checking here: https://marc.info/?l=oss-security&w=2&r=1&s=JPC_NOMINALGAIN&q=b https://nvd.nist.gov/vuln/search/results? adv_search=false&form_type=basic&results_type=overview&search_type=all&query=JPC_NOMINALGAIN Another strange thing, time ago I discovered an FPE in lame, which happens only in the command-line tool: https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/ After digging I discovered it was already reported by Brian Carpenter here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777159 which says: "fortunately, this is all in the frontend code in frontend/get_audio.c:parse_wave_header() and not in the library" At the time I filed the CVE request I failed too see that it is not suitable for a CVE, follow what mitre said about: "There is no CVE ID for this. Even if a web site runs the lame command-line tool, a divide-by-zero error does not have any availability impact for the web service, because the crash would occur in an independent process." Great..fine..that was my bad, but months later we have: https://nvd.nist.gov/vuln/detail/CVE-2017-11720 "There is a division-by-zero vulnerability in LAME 3.99.5, caused by a malformed input file." which points to: https://sourceforge.net/p/lame/bugs/460/ Fortunately the author shared the poc and the password. I'm providing (http://i.imgur.com/GDWnHRM.png) a screenshot md5sum-included to demonstrate that the issues are identically. Does someone know: 1) How to avoid that CVE duplicates are issued? 2) Why the same issue was considered not-suitable and months later suitable for a CVE? -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ