oss-sec mailing list archives

Re: Buffer overflow in /bin/su from UNIX v4

From: Solar Designer <solar () openwall com>
Date: Sat, 21 Mar 2026 19:00:13 +0100

On Sat, Mar 21, 2026 at 01:13:47PM -0400, kf503bla () duck com wrote:

why assign cve to something irrelvent?


I guess because (ir)relevance isn't among criteria for (not) assigning a
CVE, and because there may be value in having a non-ambiguous way to
refer to historical vulnerabilities for illustration of how the current
ones fit in historical context.

That said, I'm sure there are other cases of historical vulnerabilities
that never got CVEs.  Some were known prior to the CVE program start, so
would need CVEs from before 1999.  I think there's some value in that,
but it would be a change.  CVEs were not assigned for pre-1999 findings
so far.

The 2025 in this CVE is almost certainly wrong, but I understand that no
one had the resources to figure out the year it was first discovered.

Alexander

Current thread:

Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Jan 05)
- Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann (Jan 05)
- Re: [External] : [oss-security] Buffer overflow in /bin/su from UNIX v4 Casper Dik (Jan 06)
- Re: Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Mar 20)
  - Message not available
    - Re: Buffer overflow in /bin/su from UNIX v4 kf503bla (Mar 21)
    - Re: Buffer overflow in /bin/su from UNIX v4 Solar Designer (Mar 21)
    - Re: Buffer overflow in /bin/su from UNIX v4 Justin Swartz (Mar 21)
    - Re: Buffer overflow in /bin/su from UNIX v4 Steffen Nurpmeso (Mar 21)
    - Re: Buffer overflow in /bin/su from UNIX v4 Alan Coopersmith (Mar 21)
    - Re: Buffer overflow in /bin/su from UNIX v4 Peter Gutmann (Mar 21)