oss-sec mailing list archives
Re: On anonymous CVE assignments
From: Glenn Randers-Pehrson <glennrp () gmail com>
Date: Sat, 9 Jul 2016 12:35:27 -0400
On Fri, Jul 8, 2016 at 3:43 PM, Glenn Randers-Pehrson <glennrp () gmail com> wrote:
*CVE*-*2016*-*3751*(H) On Fri, Jul 8, 2016 at 9:55 AM, Kurt Seifried <kseifried () redhat com> wrote:Also if projects don't like "Surprise" CVEs one way to deal with that is to request the CVE's themselves when they know something is a security vulnerability. Also making it easy to contact them helps, the harder you make it for a security researcher to deal with you, the less likely they are to.It's hard to do that when a "surprise" CVE was never sent to the project, for example *CVE*-*2016*-*3751*(H) which just appeared in an Android security bulletin. It claims that libpng has a bug that allows privilidge escalation and was reported 3 Dec 2015. I'm guessing that it is a duplicate of CVE-2015-8126 or CVE-2015-8472, but it's hard to tell for sure without seeing it. All I've been able to find out is that it is a "reserved" CVE, with no clue as to who reserved it.
I still haven't seen the CVE, but it seems that it is a report against a fork of libpng, that had fallen several years out-of-date, and the CVE is just a private catch-all for updating the fork to current libpng status.
Glenn Randers-Pehrson libpng custodian
Current thread:
- On anonymous CVE assignments Lior Kaplan (Jul 08)
- Re: On anonymous CVE assignments Kurt Seifried (Jul 08)
- Re: On anonymous CVE assignments Glenn Randers-Pehrson (Jul 08)
- Re: On anonymous CVE assignments Glenn Randers-Pehrson (Jul 09)
- Re: On anonymous CVE assignments Glenn Randers-Pehrson (Jul 08)
- Re: On anonymous CVE assignments Kurt Seifried (Jul 08)