Re: A bunch of duplicate CVEs requested for?? bho..

[Kurt Seifried <kseifried () redhat com>]

On Tue, Aug 29, 2017 at 10:44 AM, Bob Friesenhahn <
bfriesen () simple dallas tx us> wrote:

> On Tue, 29 Aug 2017, Agostino Sarubbo wrote:
>
> Hi all.
> > In the last time there are some people that run afl for fuzzing...that's
> > just
> > fine and great. Some people miss to communicate their findings to
> > upstream and
> > request a CVE from mitre.
> > However I'm noticing that every day there are new duplicates, let me post
> > some
> > examples:
>
> It is important to keep in mind that CVEs are issued against "products".
> There might be a CVE issued against a software version distributed by Red
> Hat or Debian which is not applicable to the upstream version.  Since each
> distribution patches their version it is difficult to know the "product"
> that a particular CVE is applicable to.


Actually no, that is incorrect. Please see the CVE counting rules, it's a
LOT more nuanced than "CVEs are issued against products". THe docs are at

https://cve.mitre.org/cve/editorial_policies/counting_rules.html

TL;DR: CNT1 comes into play and you get situations like libxml/gzip being
embedded all over the place, but only a single CVE because 1) it's a single
code based that's copied everywhere and 2) pragmatism.


> I agree that in my personal experience upstream maintainers are rarely
> involved in the CVE process.


Something I am trying to change. If you are an upstream and you want to
become a CVE Numbering Authority (CNA) for your project(s) please contact
me.


> Bob
> --
> Bob Friesenhahn
> bfriesen () simple dallas tx us, http://www.simplesystems.org/users/bfriesen/
> GraphicsMagick Maintainer,    http://www.GraphicsMagick.org/



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com