[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CONTENT DECISION: Different Program, Same Code

In a single candidate, Mike Prosser managed to touch on two different
CVE content decisions :-)

>- ------------------------------------------
>Candidate: CAN-1999-0358
>Proposer: 001
>Assigned: 19990617
>Announced: 19990617
>Category: SF
>Reference: BUGTRAQ:Jan29,1999
>Reference: COMPAQ:SSRT0583U
>Digital Unix 4.0 has a buffer overflow in the inc program of the mh
>Modify:  Ref'd SSRT has an 'at' vulnerable as well supposedly fixed by
>the patch.  Shouldn't this be included as a seperate CVE in this
>cluster. ref:BugTraq "Digital Unix Buffer Overflows: Exploits" from
>Lamont Granquist for both as well.

In this case, I believe we should distinguish between 'at' and 'inc'
since they are functionally different.  They might have the exact same
line of code that's the problem - say, due to a programmer reusing
code, or it's a classic mistake - but they are fundamentally different
binaries.  Therefore I make this distinction in what I'm creatively
calling the Different Program, Same Code content decision (I wish I'd
labeled these in the original paper I sent to everyone in April ;-)

Do you agree with this approach?  Those who advocate the Same Codebase
decision - is *this* just another example of "same codebase"?  Or are
we all basically agreed that a distinction should be made between
programs with fundamentally different functionality?

To round out the picture...  Suppose a number of different binaries
(same OS, etc.) all use the same library, and a vulnerability is
discovered in the library itself.  Is that 1 vulnerability, or
multiple?  To me, it's 1 - i.e. "Same Program Same Code" - because
that particular vulnerability is occurring in the same function, the
same line of code.

- Steve

Page Last Updated or Reviewed: May 22, 2007