Re: Qualcom (and other) Android CVE IDs

To: Art Manion <amanion@cert.org>, "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: Qualcom (and other) Android CVE IDs
From: "kseifried@redhat.com" <kseifried@redhat.com>
Date: Tue, 6 Jun 2017 09:13:29 -0600
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=redhat.com;
Delivery-date: Tue Jun 6 15:39:52 2017
In-reply-to: <727d6fc8-3f49-ff1d-ff47-8540ee508062@cert.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <727d6fc8-3f49-ff1d-ff47-8540ee508062@cert.org>
Reply-to: <kseifried@redhat.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0

On 06/06/2017 08:25 AM, Art Manion wrote:
> Good to see CVE used to identify vulnerabilities:
> 
>   
> https://source.android.com/security/bulletin/2017-06-01#qualcomm-closed-source-components
> 
> but there's little or no information about any of these 
> vulnerabilities.  Lots of RESERVED.
> 
> This touches on the use of CVE for "internal" finds.  There's value 
> in having a public label, but the lack of even summary information 
> (minimal CVE entry) is problematic.
> 
>  - Art

Also the thread on oss-sec:

http://seclists.org/oss-sec/2017/q2/378

With some interesting notes like:

http://seclists.org/oss-sec/2017/q2/380

=======
I don't know about apple itself but in the clusterfuzz reports I see 4
public bugs about sqlite. However they have a very small (2 days) range
of regression, i.e. a commit made in those two days causes the problem.
I didn't check, but I suspect they didn't go in any release.

FTR, the time you are seeing in the regression range is UTC:
https://github.com/google/oss-fuzz/issues/563

At this point I don't know if apple referer to those issues or the
mentioned
issues are not public.

-- 
Agostino Sarubbo
=======

Basically these issues have CVE's but I (nor anyone else really) has any
clue what is actually affected and if we need to deal with it or not.
Kind of defeats the point :P.

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- RE: Qualcom (and other) Android CVE IDs
  - From: Beverly Finch <beverlyfinch@lenovo.com>

References:
- Qualcom (and other) Android CVE IDs
  - From: Art Manion <amanion@cert.org>

Prev by Date: Qualcom (and other) Android CVE IDs
Next by Date: RE: Qualcom (and other) Android CVE IDs
Previous by thread: Qualcom (and other) Android CVE IDs
Next by thread: RE: Qualcom (and other) Android CVE IDs
Index(es):
- Date
- Thread