Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Jul 2013 02:58:05 -0600
From: Kurt Seifried <>
CC: Matthew Wilkes <>
Subject: Re: Re: CVE Request - PloneFormGen, multiple vulnerabilities

Hash: SHA1

On 07/19/2013 07:53 AM, Matthew Wilkes wrote:
>> Sorry thought i had replied to this. I need links to the code 
>> commits/vuln code so I can confirm these.
>> To reiterate: so I can confirm CVE assignments, and prevent
>> duplicate assignments you *MUST* provide links to the code
>> commits/vulnerable code. I don't have the time to go hunting
>> through your source code for them. People need to start making
>> better CVE requests, or you're not going to get CVEs from me.
> Sorry, I wasn't aware you'd be wanting to trawl through the source 
> yourself, tried to provide enough context in the original.

Quite honestly I want to go through your source code, or for that
matter any ones source code I'm not personally responsible for like I
want to get kicked in the face by a horse.

But I also want to make sure CVE's get assigned correctly. So three
main problems arise:

1) Does the issue(s) need a CVE? sometimes they are security hardening
that look a lot like security vulnerabilities, but ultimately are not
(see Steven's recent email about timing attacks/user name disclosure
in Django for a good example of this).

2) incorrect SPLIT/MERGE of issues (it can be subtle)

3) duplicate CVE assignments

Having QUICK access to the source code vulns/corrections makes all the
above much much easier.

Plus I'm not the only one analysing these issues, other open source
vendors who ship your code may want to back port the fix, or make sure
the fix is correct, or look for similar problems in your source code.

Then you've got companies like iSIGHT Partners and iDefense (whom I
formerly contracted for) that are just two of literally HUNDREDS of
companies that go through all the stuff posted here (and
Bugtraq/Full-Disclosure, and every other security list on the planet).
This means rather then HUNDREDS of people having to hunt down the
specific source code links/patches the original CVE requester makes
sure it gets taken care. This scales and is much more efficient. Plus
the original requester is a lot more likely to get it correct.

You're not asking for CVE's in a vacuum. CVE's are widely used by
literally millions of people and organizations, we need to make sure
they are done right or we will cause an obscene amount of time and
money to be wasted.

CVE assignment to follow tomorrow because it's 3am here.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Version: GnuPG v1.4.13 (GNU/Linux)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.