[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Re: Question about tmp flaws in non-default build options (e.g. Kerberos DEBUG_ASN1)
From:       cve-assign () mitre ! org
Date:       2015-05-27 15:26:45
Message-ID: 20150527152645.6482242E0B4 () smtpvbsrv1 ! mitre ! org
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> only exist if you build with DEBUG_ASN1

As suggested in the
http://openwall.com/lists/oss-security/2014/01/29/10 post, unsafe
programming practices reachable in non-default builds are not within
the scope of CVE simply because the code exists. There must be
documentation indicating that an end user may wish to have the
applicable non-default build.

As far as we know, MIT Kerberos 5 does not document DEBUG_ASN1 for use
by end users. It seems reasonable to expect that those code sections
are only intended for use during development, and that there's a
cost/benefit tradeoff to addressing all possible risks to their
developers' machines. There won't be a CVE mapping for this DEBUG_ASN1
report unless the upstream vendor requests one.

> To: ... CVE ID Change <cve-id-change@mitre.org>

This report doesn't relate to the cve-id-change@mitre.org list.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVZeEwAAoJEKllVAevmvmsDj0H/R/JnY+GcIJkOvuq0qvJGqLm
lgF5zU/AJ/CObyajMW7ELgdM6vcljix8WR0e8wtE87Hn1Feov1e7WzrP0gk0HaXr
BTWzNmhkNj0wI65wYjhJ3QN4odQBl0I4lhnzjfJsADLEUuCeC/UqgGUokl4f7atB
YlWgET5uHXhMTjrjFZT0Qgxzda03lC951bXX93pD1Z6c8uAjM0O2HFrAV1pdfO8D
yxje1wh8jcPCJL74x9K2cuWa9Wrs/h/AA4ZS1naNb7yNnyHvEuE+uCRI82E3RgGe
iqW7MlEqKJHTo4Vcgp7gCTF+oMW3OWRdbbg6OcK+0BXTGdxYknXKK24olk7e9Hc=
=MUye
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]