[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Buffer Overflow in raptor widely unfixed in Linux distros
From:       "David A. Wheeler" <dwheeler () dwheeler ! com>
Date:       2020-11-16 17:43:10
Message-ID: E25813A6-081D-4B42-AD7E-8D38F5320D7E () dwheeler ! com
[Download RAW message or body]


> On Fri, Nov 13, 2020 at 01:33:31PM +0100, Hanno Böck wrote:
> > 3 years ago I reported a heap overflow vulnerability in raptor, an RDF
> > parsing library:
> > https://www.openwall.com/lists/oss-security/2017/06/07/1 \
> > <https://www.openwall.com/lists/oss-security/2017/06/07/1> ,,, Maybe noteworthy \
> > is that this didn't get a CVE in 2017. It seems many distros rely on CVEs to get \
> > a process of backporting fixes rolling. Given the fluctuating reliability of CVE \
> > assignments not sure this is wise. I have now requested a CVE (CVE-2017-18926).
...

> On Nov 14, 2020, at 6:58 AM, Marcus Meissner <meissner@suse.de> wrote:
> I think the only thing you can do additional is to request a CVE.
> 
> All tracking by everyone is using CVEs, this is the core identifier
> of the software security world.

I think this is key. If you find a vulnerability, you typically need to ensure that \
it gets a CVE assigned if you want coordination & resolution to happen. It's how \
coordination happens. There are issues with CVEs, but I've never seen a CVE \
assignment get dropped in recent years once it was requested properly.
Delayed, yes, but I know CVE assignments don't take 3 years :-).
And yes, there are special issues with the Linux kernel, but this package isn't the \
Linux kernel.

If you think that CVE assignment is still of "fluctuating reliability" I'd like to \
hear that argument and get it fixed. It's normally better to fix the standard process \
for doing something than to create yet another process that runs in parallel. I've \
seen no recent evidence of this reliability issue.

Sing this (to "Single Ladies"):
"If you like it, then you shoulda put a CVE on it...:"

--- David A. Wheeler



[prev in list] [next in list] [prev in thread] [next in thread]