Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability

[Gene Spafford <spaf@cs.purdue.edu>]

At 5:46 PM -0400 6/29/99, Adam Shostack wrote:
>
>I suggest that the proper distinction is made when either we know or have
>solid reason to believe the code is different, and when the bug is not
>widespread across a large number of platforms.
>
>Thus, Spaf's question has an answer or one, and mine has an answer of
>three.

Actually, my answer would be three, too.

>
>| Suppose I send a carefully crafted set of packets to your Linux box.
>| Version 93.7 crashes, and version 93.8 lets me on as root.  The only
>| difference between the two is that some code in the disk driver was
>| changed.   Is this two CVE entries or one?
>
>Two.

And here I would answer 1.    :-)


--spaf