[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000613 16:17]:
> Bill Fithen said:
> >> *4) If P1 and P2 are not fixed by the same patch or set of patches,
> >>     then they must remain SPLIT.
> >
> >I think this rule is inappropriate for CVE's purposes...  Vendors
> >package software according to the rules of their business, not
> >according to the technical content of the software...
> >most of the ones following this one are focused on the nature of the
> >vulnerability and the related software engineering practice that
> >produced it. This rule is not.
> So some of these rules, while moving away from looking at the bug
> itself, are designed to find "supporting evidence" that will help us
> to make a reasonably explainable (and repeatable) decision in the
> absence of good facts.  That said, the fact that patches are
> implemented differently might require at least a reordering of the
> "evidence" rules.

While sympathetic I agree with Bill. A patch really provides no 
strong "supporting evidence" that two vulnerabilities are the same
except that the vendor decided to fix them at the same time.

> - Steve

Elias Levy
Si vis pacem, para bellum

Page Last Updated or Reviewed: May 22, 2007