oss-sec mailing list archives
RE: CVE split and a missed file
From: "Christey, Steven M." <coley () mitre org>
Date: Thu, 9 Jan 2014 19:05:18 +0000
Some people may be wondering why these CVEs were even split at all, as many of them appear to have exactly the same vulnerability type, affected version, and commit. For example, CVE-2013-7267, CVE-2013-7268, CVE-2013-7269, CVE-2013-7270, and CVE-2013-7271 are fixed in the same version and are the same type: "updates a certain length value without ensuring that an associated data structure has been initialized." However, we had information that these files were introduced to the kernel at different times. While we don't list a specific minimum-version in the description, it's apparent that each affects a slightly different range of kernel versions. CVE-2013-7266 also comes from the same commit, but it's a length inconsistency, so on the surface it's a different vuln type than the others, which could be characterized as a length-calculation and/or initialization error. - Steve
Current thread:
- CVE split and a missed file P J P (Jan 06)
- Re: CVE split and a missed file P J P (Jan 07)
- Re: CVE split and a missed file cve-assign (Jan 08)
- Re: CVE split and a missed file P J P (Jan 09)
- RE: CVE split and a missed file Christey, Steven M. (Jan 09)
- Re: CVE split and a missed file cve-assign (Jan 09)
- Re: CVE split and a missed file cve-assign (Jan 08)
- Re: CVE split and a missed file P J P (Jan 07)
- Re: CVE split and a missed file cve-assign (Jan 08)