oss-sec mailing list archives

Re: CVE Request: Multiple vulnerabilities in freexl 1.0.0g

From: cve-assign () mitre org
Date: Fri, 27 Mar 2015 19:46:40 -0400 (EDT)

Hash: SHA1

Aren't you usually combine similar issues into one CVE anyway? Same
reported type ("stack corruption"

In this context, we don't look at stack corruption as a "type."

In general, the number of assigned CVE IDs can depend on both the
inline text of the oss-security request message as well as other
information that may be available at relatively low cost.

Here's are two examples. (We'll use "integer underflow" in the
examples even though that can be vague as discussed in the
http://cwe.mitre.org/data/definitions/191.html Alternate Terms.)

Real example in open-source FreeXL code:

  #1:  A flaw was found in the way FreeXL reads sectors from the input
  file. A specially crafted file could possibly result in stack

  #3: A flaw was found in the way FreeXL handles a premature EOF. A
  specially crafted input file could possibly result in stack corruption

  Both of these say "stack corruption." However, #1 is about
  "workbook->sector_end <= (workbook->p_in - workbook->sector_buf)" -
  the unpatched code omitted a necessary test for an integer
  underflow. #3 is not related to an integer underflow.

Hypothetical example:

  ClosedSourceProduct 1.1 changelog

  1.1 is a mandatory security update to address these two
  stack-corruption issues:

  - fixed an integer underflow vulnerability (Bug #123)

  - fixed an EOF handling vulnerability (Bug #456)

If reasonably possible, we want the number of CVE IDs to be the same
in the open-source example and the closed-source example.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
Version: GnuPG v1.4.14 (SunOS)


Current thread: