RE: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs

["Christey, Steven M." <coley () mitre org>]

This is a major challenge for CVE, but to do bug-based assignments will make CVE too dependent on the amount of 
vulnerability details that are available at the time of a CVE request - and those details vary widely.  While it is a 
problem for the distros, I have generally had the perspective that it is ultimately their responsibility to track which 
portions of a CVE are fixed, and when.

Note - the more fundamental problem here is that CVE is being used much earlier in the disclosure process than it used 
to be, and it's basically being used as a universal bug ID.  I strongly encourage the Linux community to consider 
adopting their own ID scheme.

I made comments similar to this a couple years ago, but I can't easily find the reference right now.

- Steve


-----Original Message-----
From: Solar Designer [mailto:solar () openwall com] 
Sent: Thursday, March 07, 2013 4:19 AM
To: oss-security () lists openwall com
Subject: Re: [oss-security] CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs

Kurt -

On Thu, Mar 07, 2013 at 02:13:37AM -0700, Kurt Seifried wrote:
> Bundling the following into a single CVE:
[...]
> Please use CVE-2012-6138 for these issues.

I think this is wrong.  I would understand if those issues were all in
the same subsystem at least (or if you assigned per-subsystem CVE IDs
for these), but this is not the case.  Many distros will fix some, but
not the others, or not all at the same time.  There's room for a little
bit of bundling here, but not that much.

Alexander