Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20150228173710.70B0D6C0024@smtpvmsrv1.mitre.org>
Date: Sat, 28 Feb 2015 12:37:10 -0500 (EST)
From: cve-assign@...re.org
To: blinken@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: PuTTY fails to clear private key information from memory

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Use CVE-2015-2157.

This falls into a narrow set of situations in which a CVE ID can be
assigned even though the issue does not cross privilege boundaries.
The vendor is specifically announcing this as "This is a security
vulnerability." (Also, wiping private-key memory is a conventional
behavior seen in many products. It is not the same as wiping any
memory block that any researcher may feel is sensitive in some way.)

> http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not-wiped-2.html

> However, if you ever told Pageant to delete a key from memory, it
> would not have properly deleted it: it would still have retained a
> copy by mistake due to this bug.

Because of the "this bug" wording, a single CVE ID is assigned.
However, in general, these two cases could be distinguished:

  - violating a user's reasonable expectations about what preemptive
    memory wiping should occur

  - providing a UI feature advertised as a way to tell a product to
    wipe a key from memory, accompanied by actual behavior in which no
    wiping occurs

with separate CVE IDs. In other words, there would be two CVE IDs if
there were two bugs (one for each case) fixed independently.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU8fxVAAoJEKllVAevmvmsPEAIAI+BEhf4vgQeJ0DUdXbbYRsH
gJHqdlKZSMrPsu3TKKkahVLwifZaijJvMqTItzvZOPJQ5/E5Wv2CfHZxWiJYDSwq
JEszf1IUAA0trny8h8wDtj8sAbDG5m/yTYEIp68bp/zxn/1g7ti9arzBjZXQUmpM
3HAJE8l2ajIwRgtq3TJagTJ8uFpMb9qh1fXmL5SoMP8y/dfRPgT0IntIQtg3LzgB
RLPFpY+6Ftk1GSK7ZcamWt1CSnk/UPWjKCbpqTWa6z4HNdcNuO6CFwpMLH/e3P2t
pTFlLW+z6pxTmPAfkB9mspAR2vGVyfbBMpktxwpUTSNtkxemfC8RAU60WvRyOHc=
=aQwW
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.