oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2013-6800 is a dup of CVE-2013-1418

From: cve-assign () mitre org
Date: Tue, 4 Mar 2014 12:35:06 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800
is the same issue as 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418

(basically the same code fix for the same issue,


The scope of CVE-2013-1418 is this part of
c2ccf4197f697c4ff143b8a786acdd875e70a89d:

  Multi-realm KDC null deref [CVE-2013-1418] ... If a KDC serves
  multiple realms, certain requests can cause setup_server_realm() to
  dereference a null pointer, crashing the KDC.

  CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C


The scope of CVE-2013-6800 is this part of
c2ccf4197f697c4ff143b8a786acdd875e70a89d:

  A related but more minor vulnerability requires authentication to
  exploit, and is only present if a third-party KDC database module can
  dereference a null pointer under certain conditions.


The practical relevance of the second CVE is that, based on the
available information, a KDC apparently can be vulnerable to
CVE-2013-6800 even if the CVE-2013-1418 exploitation conditions are
not met. The vendor's disclosure binds the CVE-2013-1418 ID only to a
subset of the c2ccf4197f697c4ff143b8a786acdd875e70a89d comment. This
was accompanied by a similar binding within third-party references
such as 1026942 in the Red Hat Bugzilla. It is conceivable that
someone would want to track CVE-2013-6800 even if they determined that
CVE-2013-1418 was not relevant to their installation.

In general, even if a single patch could address two distinct types of
attacks, that does not necessarily mean that two CVEs are duplicates.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTFgz+AAoJEKllVAevmvmsg2AIAK3YEISuzaCFszqZIUMc7xTu
c19WulvIAzWTzCplCiYsq/y9y146PKCNSKeYZM9pLx/Nk5kz0m9627YmqCOxbzMx
7xQw0fn5F07/wOn2HFGdh6MxC1J7qGK+2EyBeL6yYdTEY4aNdLNGTZZP5YzQAP7O
yHL7Bh2ko3WWZKZ2f4qTGzRvbN7G5ZDQzTsTYDJUhqQUuvMCnP8NpnTb7qC/RGNH
k+u7lkohA/1gst476tb/uVSAYfwH/8zPkhygC6WlSRwrs3DoP+T6Ycle+6+1hH4z
7dlr1GXmAx989KG6TsjY+gmM9DHAnAOTM9wMA1ext8OWX7a40qVFlhZbQMr+M8Q=
=oIex
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: