Re: Which "Codebases" do these candidates really split into?
On Mon, Jul 12, 1999 at 09:52:28PM -0500, Gene Spafford wrote:
| >Candidate: CAN-1999-0128
| >Reference: XF:ping-death
| >Reference: CERT:CA-96.26.ping
| >Oversized ICMP ping packets can result in a denial of service,
| >aka Ping o' Death.
| >AFFECTED OSes:
| > Digital Unix, FreeBSD, HPUX, AIX, IRIX, Linux, OSF/1, SCO, Solaris
| >QUESTION: is the appropriate codebase "Unix"? Or do we separate it
| >into BSD and System V? Or each individual OS?
| Systems that used the old BSD IP stack have this problem. The Linux
| stack was developed independently, as was (I believe) AIX. All of
| the others derived from the same underlying IP code. However, each
| one has undergone quite a bit of change.
| MacOS is also vulnerable in some versions. I believe VMS and
| NextStep were too.
| So here we have the problem of defining "same."
| Me feeling would be to split out each independent OS unless we know
| they use the same underlying code.
It seems clear to me that the relevant logic that leads to the system
crashing while processing ICMP have not changed. My definition of
codebase change and Spaf's seem to be different.
We agree on expresserve, which I've elided, and disagree on rlogin:
| > With rlogin being an old program and so many Unices being affected,
| > do we say this is just one codebase? What does it tell us (if
| > anything) to see that the problem had already been fixed in Linux
| > and NetBSD before the CERT advisory was released?
| rlogin is the codebase. It was the same on almost all these systems.
| The Linux and NetBSD versions were fixed before the advisory because
| they had groups doing proactive security screening. It doesn't
| change that the code base for rlogin was basically the same.
Here is the core of our disagreement. That linux and NetBSD code was
audited and changed to prevent the bug from working is the essense of
a codebase change thats relevant to the CVE. Code changes that don't
affect the vulnerability don't matter, because from the CVE viewpoint,
they're not code changes.