Re: OS command injection vulnerability in Chicken Scheme

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2013 01:50 PM, Peter Bex wrote:
> On Mon, Apr 29, 2013 at 01:33:12PM -0600, Kurt Seifried wrote:
> > > The full announcement is here: 
> > > http://lists.nongnu.org/archive/html/chicken-announce/2013-04/msg00000.html
> >
> >
> > >
Please use CVE-2013-2024 for this issue.
> Thank you.
>
> > > By the way, I'm confused as to why the CVEs I've requested so
> > > far don't show up in NVD.  For example, 
> > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6122
> > > says the CVE does not exist, but Kurt assigned it in February:
> > >  http://www.openwall.com/lists/oss-security/2013/02/08/2
> > >
> > > The other CVE numbers in that mail produce a "not found" page
> > > as well and an NVD database search for "chicken" turns up
> > > nothing related to Chicken Scheme.  The page says the database
> > > was last updated April 19th 2013, so that's not the cause
> > > either.
> >
> > Because Mitre has a large backlog of CVE's to research and write
> > up. Submitting researched/written entries to them will probably
> > result in your entries being posted faster. Try to remember that
> > CVE pushed thousands of these a year, the volume is
> > considerable.
>
> What sort of information would they require, besides the advisory I
> posted in my mail?  If there's something I can do better to make 
> their lives easier, I will certainly consider it!

Format it in their standard format (search for similar entries here
http://cve.mitre.org/cve/cve.html) and submit that, I'm sure steve
won't mind. Also the research/verification side of the data
(links/notes/etc.) if you can.

> > Apologies for the late reply
>
> No problem!
>
> Cheers, Peter


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRft86AAoJEBYNRVNeJnmT5rMP/Apx5kpbh+WPwJC9GFtvjpIX
Eq74Uyu/zZY9mou28N7OB/R2xzTwpgqQ6wxTKIl6RbN3uKA7ptR+Y6TyMP9vvXm6
I1OruyfFMbj0/rHrr4BNy1uS/bPs4F+CCTRVHJDtFF8yjg/8F/5+M2Z6kHyAGylZ
ktfrukwBogaOfHsy97XWKGLuQJP0rjjt/cfKfySkUfbAReCH4U9Ft6LtbqXgSX5V
fCSWZEjHnjpxlzmw4sjyXzpH/wYiIIYnKEXJjZhHGV/kZ/QPxldFusTWvPRDunUF
OjYjz5bdbfJQu9HHf1TMf5F1Z8TBhzzAaR394SX+eFqh3714RZfktyI7D+39o2kH
7QLSZg3/iqCMTrStuioo/nXuR97tnqXSdKUxvMT8VO0qLpKwR+4ffkzcqfHwRkFP
d0f44nxmg3qhymJMQ+frLs1GNX1DNJKtwLBGGCu0XBXe3TDf8JD632uzcqpitanD
UZs+rNIWAEhc+eAKPuwTzlTuLdefjdf2SyuC69ycIzRPkHkU/I+gEljOF4yFWcjR
HpucFW+EHSuN+nERoRAKAirMAeVnNACloWbnw7BJa4xs9SdrkKfslk64vzZ1kXWz
0ZeWnJmPJl+G0lAfPt6K9Dj5kFm+w4gNgQOoEFL/BMJ4aFYqvC9pxYSEO9+CGm9f
W8yhBhirKHyuAlFeZuME
=OwlV
-----END PGP SIGNATURE-----