Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE Requests (maybe): Linux kernel: various info leaks, some NULL ptr derefs
From: Solar Designer <solar () openwall com>
Date: Thu, 7 Mar 2013 23:48:16 +0400


On Thu, Mar 07, 2013 at 06:09:52PM +0000, Christey, Steven M. wrote:
This is a major challenge for CVE, but to do bug-based assignments [...]

What about per-subsystem assignments?  (In Linux kernel context and in
general.)  I think this is what would make sense here.  Kurt assigned
just one CVE ID for 21 bugs across multiple subsystems, with the only
things in common being that these are infoleak bugs and that they were
brought to oss-security at once.  With per-subsystem assignments, we'd
have up to 11 CVE IDs for these 21 bugs, or maybe fewer (depending on
what to count as separate subsystems) - but definitely not just 1.

Note - the more fundamental problem here is that CVE is being used much earlier in the disclosure process than it 
used to be, and it's basically being used as a universal bug ID.

Maybe CVE should support such use to the extent that it is reasonable
for CVE to do so.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]