Re: CVE Request: multiple bugs found in BFD libraries and Binutils' utilities

[Thuan Pham <thuanpv () comp nus edu sg>]

Dear Agostino,
Thank you very much for your prompt reply. I will choose the suitable bugs
based on your advice and submit to MITRE directly.
Many thanks,
Thuan

On Fri, Mar 17, 2017 at 4:15 AM, Agostino Sarubbo <ago () gentoo org> wrote:

> On Friday 17 March 2017 00:58:05 Thuan Pham wrote:
> > Could you please check whether these bugs are suitable for CVEs?
>
> Thuan,
> thanks for sharing.
>
> Since few time the cve requests happens on https://cveform.mitre.org
> instead
> of here.
>
> From some time of fuzz experience, from multiple cve requests and multiple
> feedback from mitre I'd say:
> - In any way you are able to crash a library, it needs a cve because it is
> supposed to receive multiple inputs.
> - Undefined behavior in a library also needs a cve.
> - while the bug is in a command line tool:
> 1) if it is a simple crash like fpe / segv, it is considered just an
> inconvenience.
> 2) if it is an overflow with read of size 1 is also considered an
> inconveniece
> unless you can demostrate any evidence of damage.
> The mentioned cases are not just an inconvenience unless there are common
> cases where you know that for example a webapp relies on this command line
> tool.
> 3) if it is an overflow with write access it should have a cve.
>
>
> @everyone, if you think it is wrong or I missed something feel free to
> correct
> me.
>
> --
> Agostino Sarubbo
> Gentoo Linux Developer