oss-sec mailing list archives
Re: Duplicated CVE assignment for bip
From: "Steven M. Christey" <coley () mitre org>
Date: Thu, 2 Jan 2014 14:55:09 -0500 (EST)
Moritz,These are two slightly different issues, although a casual reading of the descriptions does not make that sufficiently clear.
The original CNA assignment of CVE-2013-4550 did not consider that there appear to be two different types of issues, which means a SPLIT of the CVE ID.
The issues are disclosed in Bug 261 here: https://projects.duckcorp.org/issues/261The first issue is that Bip will write to arbitrary sockets when run in daemon mode because stderr is closed: "when using SSL (client_side_ssl = true), bip will write an error to stderr when the SSL handshake fails. However, if it is running as a daemon, stderr will have been closed."
We narrowed the scope of CVE-2013-4550 to this first issue. Note that while the bug was apparently filed and public in 2011, it was given a CVE-2013-xxxx ID, but we don't usually reject an ID simply because it is out of sync with the disclosure date. We also didn't see a need to REJECT this CVE because of the scope change either, since it's in reasonably wide use.
The second issue covers connections that are never closed: "Also, when an SSL handshake error occurs, a socket is never closed, but remains in CLOSE_WAIT state forever. This happens because a socket that is set to have an error will never be closed."
A fix for the first issue would not necessarily guarantee a fix of the second issue, and the bugs are of different types. Therefore the second issue is SPLIT from the first. We assigned CVE-2011-5268 accordingly, since at the time of assignment, we knew that 2011 was the disclosure date.
When we published these CVEs, we probably should have notified oss-security, or at least modified CVE-2011-5268 and CVE-2013-4550's descriptions to reflect the close relationships. I apologize for that.
- Steve On Thu, 2 Jan 2014, Moritz Muehlenhoff wrote:
Hi, Seems there's a duplicated CVE ID for bip: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4550 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5268 refer to the same bugreport. Since CVE-2013-4550 was used for much longer, CVE-2011-5268 should be rejected? Cheers, Moritz
Current thread:
- Duplicated CVE assignment for bip Moritz Muehlenhoff (Jan 02)
- Re: Duplicated CVE assignment for bip Steven M. Christey (Jan 02)