Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 12 Sep 2014 14:39:58 -0400 (EDT)
Subject: Re: [CVE Requests] rsync and librsync collisions

Hash: SHA1

> The below still require a CVE or two (unless MITRE disagrees).

>> I think there should be CVEs assigned for this:
>> rsync: MD5 collision DoS attack or limited file corruption
>> librsync: MD4 collision file corruption
>> Note: librsync is not the same code, protocol or maintainer as rsync.

The short answer is that we neither agree nor disagree at present; we
think that either any required CVE assignment can be made by us after
a full public disclosure, or any required CVE assignment can be made
by a different CNA now.

Further details: MITRE has been contacted about this rsync and
librsync report through multiple channels. The reply that we sent
wasn't previously copied here because it didn't seem to be about a
publicly known vulnerability.

MITRE has no role in determining the list charter, but says
"List Content Guidelines ... Public security issues only please." says "my last
response from Wayne was effectively denying that this is a
vulnerability" and "I won't provide full details yet, but if any
distributions would like some collisions to perform specific tests
(perhaps on Openstack Swift), please get in contact privately." adds "I have
provided a privileged few with PoC" and "My plan was to wait for fixes
before releasing the full write-up and code."

Our feeling is that, if the issue is not really public, sending a CVE
request to the oss-security list is not a standard procedure. It seems
that the simplest way forward would occur if one of the
above-mentioned "privileged few" is a CNA on the list. They can evaluate the
information that they have and make one or more CVE assignments. If
the meaning of the CVE assignments is understandable without referring
to the non-public details, then it might be useful to send the CVE
assignments here, even before the full public disclosure.

MITRE is not currently interested in receiving an advance copy of the
full public disclosure or any related PoC information from anyone.
We'll see whether the CNA process above can work.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.