Re: On anonymous CVE assignments

[Glenn Randers-Pehrson <glennrp () gmail com>]

*CVE*-*2016*-*3751*(H)

On Fri, Jul 8, 2016 at 9:55 AM, Kurt Seifried <kseifried () redhat com> wrote:

> Also if projects don't like "Surprise" CVEs one way to deal with that is to
> request the CVE's themselves when they know something is a security
> vulnerability. Also making it easy to contact them helps, the harder you
> make it for a security researcher to deal with you, the less likely they
> are to.

It's hard to do that when a "surprise" CVE was never sent to the project,
for example  *CVE*-*2016*-*3751*(H) which just appeared in an Android
security
bulletin.  It claims that libpng has a bug that allows privilidge escalation
and was reported 3 Dec 2015. I'm guessing that it is a duplicate of
CVE-2015-8126 or CVE-2015-8472, but it's hard to tell for sure without
seeing it.  All I've been able to find out is that it is a "reserved" CVE,
with
no clue as to who reserved it.

Glenn Randers-Pehrson
libpng custodian