oss-sec mailing list archives

Re: CVE Request: Regression introduced in cacti with fix for CVE-2013-1435

From: Vincent Danen <vdanen () redhat com>
Date: Thu, 8 Aug 2013 14:16:39 -0600

* [2013-08-08 21:20:59 +0200] Salvatore Bonaccorso wrote:

Hi Kurt

The fix for CVE-2013-1435[1] introduced a regression:

[1] http://svn.cacti.net/viewvc?view=rev&revision=7393

It was reported in [2] and upstream proposed a fix [3] which was
confirmed to work by two of the involved people.

[2] http://sourceforge.net/mailarchive/message.php?msg_id=31262707
[3] http://sourceforge.net/mailarchive/message.php?msg_id=31262712

The corresponding svn commits should be the following:

[4] http://svn.cacti.net/viewvc?view=rev&revision=7408
[5] http://svn.cacti.net/viewvc?view=rev&revision=7409
[6] http://svn.cacti.net/viewvc?view=rev&revision=7413

Does this need a follow-up CVE assignment for the regression part
introduced?


My understanding would be no.  A follow-up CVE would be assigned if it
a) didn't fix the underlying security issue (it does) or b) introduced a
new security issue (it doesn't).

Botching the fix so that _functionality_ no longer works would not be
grounds for another CVE (although anyone backporting these would surely
want the additional fixes).

--

Vincent Danen / Red Hat Security Response Team

Current thread:

CVE Request: Regression introduced in cacti with fix for CVE-2013-1435 Salvatore Bonaccorso (Aug 08)
- Re: CVE Request: Regression introduced in cacti with fix for CVE-2013-1435 Vincent Danen (Aug 08)