oss-sec mailing list archives
Re: A bunch of duplicate CVEs requested for?? bho..
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 29 Aug 2017 10:49:17 -0600
On Tue, Aug 29, 2017 at 10:44 AM, Bob Friesenhahn < bfriesen () simple dallas tx us> wrote:
On Tue, 29 Aug 2017, Agostino Sarubbo wrote: Hi all.In the last time there are some people that run afl for fuzzing...that's just fine and great. Some people miss to communicate their findings to upstream and request a CVE from mitre. However I'm noticing that every day there are new duplicates, let me post some examples:It is important to keep in mind that CVEs are issued against "products". There might be a CVE issued against a software version distributed by Red Hat or Debian which is not applicable to the upstream version. Since each distribution patches their version it is difficult to know the "product" that a particular CVE is applicable to.
Actually no, that is incorrect. Please see the CVE counting rules, it's a LOT more nuanced than "CVEs are issued against products". THe docs are at https://cve.mitre.org/cve/editorial_policies/counting_rules.html TL;DR: CNT1 comes into play and you get situations like libxml/gzip being embedded all over the place, but only a single CVE because 1) it's a single code based that's copied everywhere and 2) pragmatism.
I agree that in my personal experience upstream maintainers are rarely involved in the CVE process.
Something I am trying to change. If you are an upstream and you want to become a CVE Numbering Authority (CNA) for your project(s) please contact me.
Bob -- Bob Friesenhahn bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Bob Friesenhahn (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Kurt Seifried (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Henri S. (Aug 29)
- Re: A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)
- Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. cve-request (Aug 29)
- Re: Re: [scr379303] A bunch of duplicate CVEs requested for?? bho.. Agostino Sarubbo (Aug 29)