Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.64.1202231254510.17983@faron.mitre.org>
Date: Thu, 23 Feb 2012 13:10:40 -0500 (EST)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: oss-security@...ts.openwall.com
cc: muuratsalo experimental hack lab <muuratsalo@...il.com>,
        Ulli Horlacher <framstag@....uni-stuttgart.de>
Subject: Re: Vulnerabilitites in Debian F*EX <= 20100208 and
 F*EX 20111129-2.


Nico Golde said:

>>>> Can someone please assign a CVE id to this? Given that all of
>>>> the vulnerable input parameters are in the fup component, I
>>>> guess one id should be sufficient.

We actually need two CVEs here.

Which components the vulnerabilities are in, is rarely relevant for 
deciding how many CVEs to assign.  Much more critical is which versions 
are affected.  The original researcher provided two advisories for 2 
different versions.  So even though "fup" is affected, we mould need to 
SPLIT if there are some items/vectors/issues that affect different 
versions than others (hint: we will SPLIT.)

Kurt said:

> Please use CVE-2012-0869 for this issue.

Here are the breakdowns for the two advisories/versions:

F*EX <= 20100208
   fup / from parameter
   fup / to parameter
   fup / id parameter

F*EX 20111129-2
   fup / id parameter


So, based on the original report, we have:

   20100208 only:
     fup / from
     fup / to

   20100208 *and* 20111129-2
     fup / id

So, we MERGE the "fup" and "from" vectors since they affect the same 
version, and we SPLIT these from the "id" vector. (For the incredibly 
detail-oriented: whether the parameters come via GET or POST methods is 
irrelevant for CVE.)

Now, the question is which issue we link with CVE-2012-0869.  Since Debian 
bug 660621 focuses on the id parameter, and that paremeter affects both 
listed versions, I guess it makes sense to focus CVE-2012-0869 on the id 
parameter.

I've assigned CVE-2012-1293 for the "from" and "to" parameters that are 
only listed for 20100208.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.