Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability
At 5:46 PM -0400 6/29/99, Adam Shostack wrote:
>I suggest that the proper distinction is made when either we know or have
>solid reason to believe the code is different, and when the bug is not
>widespread across a large number of platforms.
>Thus, Spaf's question has an answer or one, and mine has an answer of
Actually, my answer would be three, too.
>| Suppose I send a carefully crafted set of packets to your Linux box.
>| Version 93.7 crashes, and version 93.8 lets me on as root. The only
>| difference between the two is that some code in the disk driver was
>| changed. Is this two CVE entries or one?
And here I would answer 1. :-)