[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: MODIFY-01 cluster: 25 CERT candidates moved to MODIFICATION phase

Adam said:

> | Candidate: CAN-1999-0004
> [snip]
> | Reference: CERT:CA-98.10.mime_buffer_overflows
> | Reference: XF:outlook-long-name
> | Reference: SUN:00175
> |
> | MIME buffer overflow in email clients, e.g. Solaris mailtool
> | and Outlook.
> |
> [snip]
> >It occurs to me that there may be a [level of abstraction] issue
> >here. Why are we grouping all mailtools into one entry?  If we choose
> >to do this, we need to add at least Eudora as well.  Its fairly clear
> >to me that these are distinct.

I said:

> Note that the description singles out mailtool and Outlook, ignoring
> the other applications that are affected.  Assuming we agree on the
> LOA, should the description be modified to list all affected clients?

Andre said:

>we could go two ways on this type of issue: either
>enumerate all the mailers and risk missing one (which IMHO is a
>function of a vulnerability database (VDB), not the CVE) or use a
>general term, such as 'some MIME-compliant mailers..."

I believe that there are enough MIME vulnerabilities out there that
someone "looking up" the name of this vulnerability might be able to
better distinguish this vulnerability from others if we do list all
the affected mailers, or at least a reasonable portion of them.  In my
opinion, the requirement for a distinctive description holds
precedence here.  I think the general term that Andre suggested is, in
this case, too general.

I agree that it's a VDB's job to be complete on this sort of
information, but it's not a requirement for the CVE.

>If we choose to enumerate, then it'll cascade into 'not listing all
>OSes, versions, etc.', which again degrades into a VDB's job (no
>offense to those who own VDBs).

If we take the same approach as I am with CVE references - i.e.,
there's no *requirement* to be complete, just a strong preference to
provide enough to be distinctive - then we might be able to avoid this
cascading problem in most cases.  But for some vulnerabilities that
are similar, the "distinctive description" requirement may force us to
include this kind of information.

The same problem can happen with including OS or application versions.
We don't *need* to include versions, unless they help to distinguish
similar vulnerabilities.  Consider "Sendmail buffer overflow" - that
still applies to 5+ different vulnerabilities, so including the
version number helps to distinguish the different vulnerabilities.  On
the other extreme, one-word descriptions like "phf" or "Ping o' Death"
are sufficiently distinctive (at this time, anyway ;-)) with almost no
information whatsoever.

- Steve

Page Last Updated or Reviewed: May 22, 2007