[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: PuTTY fails to clear private key information from memory
From:       Zubin Mithra <zubin.mithra () gmail ! com>
Date:       2015-02-28 23:59:18
Message-ID: 9BED3ED4-66D7-4DA7-8F04-116ADF2A493F () gmail ! com
[Download RAW message or body]

Signed PGP part
Use CVE-2015-2157.

This falls into a narrow set of situations in which a CVE ID can be
assigned even though the issue does not cross privilege boundaries.
The vendor is specifically announcing this as "This is a security
vulnerability." (Also, wiping private-key memory is a conventional
behavior seen in many products. It is not the same as wiping any
memory block that any researcher may feel is sensitive in some way.)

> =
http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/private-key-not=
-wiped-2.html

> However, if you ever told Pageant to delete a key from memory, it
> would not have properly deleted it: it would still have retained a
> copy by mistake due to this bug.

Because of the "this bug" wording, a single CVE ID is assigned.
However, in general, these two cases could be distinguished:

  - violating a user's reasonable expectations about what preemptive
    memory wiping should occur

  - providing a UI feature advertised as a way to tell a product to
    wipe a key from memory, accompanied by actual behavior in which no
    wiping occurs

with separate CVE IDs. In other words, there would be two CVE IDs if
there were two bugs (one for each case) fixed independently.

--
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]

[prev in list] [next in list] [prev in thread] [next in thread]