oss-sec mailing list archives

Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow

From: Alessandro Ghedini <ghedo () debian org>
Date: Tue, 14 Jul 2015 00:03:03 +0200

On Mon, Jul 13, 2015 at 05:37:49PM -0400, cve-assign () mitre org wrote:

One complication here is that the CVE request was sent to oss-security
without mentioning that a CVE request had been sent privately to one
Linux distribution a few weeks before that. See:

  https://github.com/htacg/tidy-html5/issues/217#issue-84488886

  I contacted Debian about the issue on May 17, so far I have not
  received a response about a CVE assignment.
  ...
  Date: Sun, May 17, 2015 at 8:11 PM
  Subject: tidy heap-buffer-overflow
  To: security () debian org

(added security () debian org to the Cc line)

Our only question for Debian is: did Debian already assign any CVE
ID(s) for this? If not, then MITRE will.


No, we did not assign any CVE for this issue.

FWIW the reason was that by the time we got around to replying to Fernando, the
issue had already been made public on GitHub so we recommended him to come
straight to oss-security for a CVE assignment.

Cheers

Attachment: signature.asc
Description: Digital signature

Current thread:

Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Fernando Muñoz (Jul 10)
- Re: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Mark Felder (Jul 12)
- <Possible follow-ups>
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow cve-assign (Jul 13)
  - Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Alessandro Ghedini (Jul 13)
    - Re: Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Alessandro Ghedini (Jul 13)
  - Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow Fernando Muñoz (Jul 13)
- Re: CVE Request - tidy 0.99 / tidy5 heap-buffer-overflow cve-assign (Jul 14)