oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Duplicated CVE assignment for bip

From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 2 Jan 2014 14:55:09 -0500 (EST)

Moritz,
These are two slightly different issues, although a casual reading of the descriptions does not make that sufficiently clear.
The original CNA assignment of CVE-2013-4550 did not consider that there appear to be two different types of issues, which means a SPLIT of the CVE ID. 

The issues are disclosed in Bug 261 here:

https://projects.duckcorp.org/issues/261
The first issue is that Bip will write to arbitrary sockets when run in daemon mode because stderr is closed: "when using SSL (client_side_ssl = true), bip will write an error to stderr when the SSL handshake fails. However, if it is running as a daemon, stderr will have been closed."
We narrowed the scope of CVE-2013-4550 to this first issue. Note that while the bug was apparently filed and public in 2011, it was given a CVE-2013-xxxx ID, but we don't usually reject an ID simply because it is out of sync with the disclosure date. We also didn't see a need to REJECT this CVE because of the scope change either, since it's in reasonably wide use.
The second issue covers connections that are never closed: "Also, when an SSL handshake error occurs, a socket is never closed, but remains in CLOSE_WAIT state forever. This happens because a socket that is set to have an error will never be closed."
A fix for the first issue would not necessarily guarantee a fix of the second issue, and the bugs are of different types. Therefore the second issue is SPLIT from the first. We assigned CVE-2011-5268 accordingly, since at the time of assignment, we knew that 2011 was the disclosure date.
When we published these CVEs, we probably should have notified oss-security, or at least modified CVE-2011-5268 and CVE-2013-4550's descriptions to reflect the close relationships. I apologize for that. 

- Steve


On Thu, 2 Jan 2014, Moritz Muehlenhoff wrote:


Hi,
Seems there's a duplicated CVE ID for bip:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 and
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5268 refer
to the same bugreport.

Since CVE-2013-4550 was used for much longer, CVE-2011-5268 should
be rejected?

Cheers,
       Moritz
Previous By Date Next
Previous By Thread Next

Current thread: