Re: CVE-2009-3297 samba/ncpfs/fuse issues granted individual 2010 CVE names?

[Vincent Danen <vdanen () redhat com>]

* [2010-03-03 13:01:18 -0500] Steven M. Christey wrote:

> On Tue, 2 Mar 2010, Vincent Danen wrote:
>
> > * [2010-03-02 13:05:28 -0500] nobody () redhat com via RT wrote:
> >
> > Hi, Steve.  I'm confused about these three CVEs, particularly since
> > CVE-2009-3297 was assigned to this issue (I suppose it would be more
> > correct to have 3 CVEs for the issue, but I'm not sure then why
> > CVE-2009-3297 was completely ignored unless you intend for it to be not
> > used/duplicated to one of these?).
>
> Sorry about not informing oss-security when I did this; I meant to.
>
> CVE-2009-3297 has been rejected since it was used heavily for 
> multiple issues that should have been assigned separate entries.  
> People weren't just using CVE-2009-3297 for Samba, they were using it 
> for fuse and others.

Ok, fair enough.  I thought that might have been the reason, but I was
unsure why we would drop CVE-2009-3297 altogether, but it makes sense.

> This rejection has since been uploaded to the CVE site:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3297
>
> Along with the three new CVEs:
>
> CVE-2010-0787 (Samba)
> CVE-2010-0788 (ncpfs)
> CVE-2010-0789 (FUSE)
>
> I try very hard to avoid doing this kind of split (and REJECT) except 
> when it seems like there will be a lot of confusion; I know how much 
> work it is to clean these up in advisories and so on.  I recognize 
> that many people have used CVE-2009-3297 for the Samba problem, but 
> it's been used in DEBIAN:DSA-1989 for FUSE and FEDORA-2010-1145 for 
> ncpfs, for example.  An administrator who thinks that "CVE-2009-3297 
> is fixed" might have solved the ncp issue but still be vulnerable to 
> the Samba issue.

I agree.  Fair enough.

> I had originally asked oss-security for clarification on this, 
> without an answer:
>
> http://www.openwall.com/lists/oss-security/2010/02/04/7
>
> (recognizing that I'm the most guilty party for not answering...) but 
> other situations forced me to clear this out.

Fair enough.  We probably should have replied to that as well.  =)

> > I'm also confused on using a 2010-based name since our bugzilla entry is
> > dated 2009-11-04, and Samba upstream has their reported dated
> > 2009-10-28, so these should have received 2009-based names.
>
> I agree - this was an error on my part, so I apologize for the confusion.

Ok, no worries.  Certainly wouldn't want you to reject the 2010 names
for 2009 ones now.  =)

Thanks for the clarification.

--
Vincent Danen / Red Hat Security Response Team