oss-sec mailing list archives

Re: CVE Request -- logrotate -- nine issues

From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Fri, 4 Mar 2011 12:22:34 -0500 (EST)


On Fri, 4 Mar 2011, Solar Designer wrote:

Again, as I wrote to Florian, maybe the expectations here are changingover the years.

In general, that's what happens in CVE. Part of this may be that as themore obvious/severe issues get eliminated, less-severe issues are thengiven more attention. I try to watch out for edge cases that may"snowball" into large numbers of CVEs of limited utility - and you broughtup one such example of a snowball issue with the recognition oftechnically-unsafe-but-commonly-accepted file behaviors of various Unixcommands. However, there is no clearly-defined line (software is toocomplex and dynamic for that) and risk tolerance differs widely betweenindividuals. The PHP interpreted gets hit with various issues related tosandbox escaping (or an application attacking itself), but in a hostingscenario (fairly common these days), it's a concern to some consumers.

As remote code execution vectors dry up (for certain classes of software),people look elsewhere. As obvious remote vuln types get resolved, peoplelook for other issues of uncertain exploitability that cause a crash.Alexander, you've had a bit of experience in suddenly turning "bugs" into"vulnerabilities" ;-) The target is shifting over time and, by itsnature, spreading a wider net. As long as prioritization metrics likeCVSS follow suit (e.g. more severities of 4 and 5, less 10's), this is areasonable shift.

For CVE, there is no implied requirement for vendors to post advisoriesfor evey issue that has a CVE assigned. Vendors decide which issues aresevere enough to directly notify their consumers about. Granted, as thescope of CVE widens, this may increase the vendor workload.


Interesting discussion...

- Steve

Current thread:

Re: CVE Request -- logrotate -- nine issues, (continued)
- - - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Dan Rosenberg (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steve Grubb (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 06)
  - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Steven M. Christey (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Jan Lieskovsky (Mar 04)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 05)
    - Re: CVE Request -- logrotate -- nine issues Jan Kaluža (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Paul Martin (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Ludwig Nussel (Mar 07)
    - Re: CVE Request -- logrotate -- nine issues Josh Bressers (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Florian Zumbiehl (Mar 10)
    - Re: CVE Request -- logrotate -- nine issues Solar Designer (Mar 10)

(Thread continues...)