[CD] CD Proposal: SF-LOC (Software flaws in different lines of code)

To: cve-editorial-board-list@lists.mitre.org
Subject: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 13 Jun 2000 00:11:40 -0400 (EDT)
Delivery-Date: Tue Jun 13 00:11:49 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

The following content decision (CD) is related to cases in which
multiple software flaws appear in the same application at the same
time.

CD Proposal Date: 6/12/2000
Voting Period: 7/10/2000
Final Decision: 7/24/2000


************************************************************************
CD:SF-LOC (Software flaws in different lines of code)
************************************************************************
Type: ABSTRACTION
Version: 1.0
Proposed: 6/12/2000
Final Decision: N/A



Short Description
-----------------

If two or more different software flaws occur in different lines of
code in the same executable or library, then record them in different
entries.  (Informally, distinguish between different bugs in the same
software.)


Definitions
-----------

All definitions are informal.

A "library" is a set of functions that are packaged into the same
file, which is then accessed by multiple programs that use those
functions.  DLL's, C libraries, and Perl modules are all examples of
"libraries."

The "trigger code" is the specific line in the source code whose
execution affects the system's security.  For example, the trigger
code for a buffer overflow might be a call to the strcat() function
which causes the overflow and overwrites a stack pointer, or the
trigger code for a packet reassembly problem might be the specific
line of code that causes the affected system to crash.


Affected Candidates
-------------------

All active candidates that are affected by this content decision can
be obtained via the following URL:

   http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CD:SF-LOC


Application
-----------

If a * appears before a CD item, then if that item applies to P1 and
P2, then the remainder of the CD should not be applied.

Note: this CD intersects with CD:SF-EXEC with respect to software
flaws that occur in libraries.

Consider two problems, P1 and P2.

** try to define evidence for a library, then use that to decide
   whether to apply this CD or not.

*1) If P1 and P2 do not occur in the same executable, and there is no
    evidence that they both appear in the same library, then this CD
    does not apply, and CD:SF-EXEC should be consulted.

*2) If it can be proven that the trigger code for P1 is different than
    the trigger code for P2, then P1 and P2 must remain SPLIT.

*3) If it can be proven that the trigger code for P1 is the same as the
    trigger code for P2, then P1 and P2 must be MERGED, even if the
    method of exploitation may be different.

*4) If P1 and P2 are not fixed by the same patch or set of patches,
    then they must remain SPLIT.

5) If there is strong evidence that P1 and P2 have the same trigger
   code, and there is strong evidence that P1 and P2 are in the same
   library, then P1 and P2 should be MERGED.

6) If the method of exploitation for P1 is significantly different
   from the exploitation of P2, then P1 and P2 should be SPLIT.  For
   example, P1 might appear to be a buffer overflow that is caused by
   sending a long command line argument, whereas P2 might follow
   symbolic links improperly.

7) If the methods of exploitation for P1 and P2 are the same (or
   extremely similar), and the results of the exploitation are the
   same, then P1 and P2 should be MERGED.

8) If there are conflicting recommendations from previous items in
   this CD, then the first item that applies should be used to
   determine whether P1 and P2 should be SPLIT or MERGED.

9) If no item in this CD (besides this one) suggests whether P1 and P2
   should be MERGED or SPLIT, then they should be MERGED.



Examples
--------

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CD:SF-LOC

*********************************************

CAN-1999-0855 and CAN-1999-0857

CAN-1999-0855: Buffer overflow in FreeBSD gdc program via a long -t
argument.

CAN-1999-0857: FreeBSD gdc program allows local users to modify files
via a symlink attack.


SF-LOC.2 and SF-LOC.3 could be answered by looking at the source code,
but let's say it's not available.

SF-LOC.4 does not apply because there are no known patches.

SF-LOC.5 does not apply.

SF-LOC.6 applies.  The buffer overflow is exploited differently than
the symlink problem, so SF-LOC.6 suggests SPLIT.

SF-LOC.7 does not apply.


Therefore, these candidates should remain SPLIT by CD:SF-LOC.6.


*********************************************

CAN-1999-0844: Denial of service in MDaemon WorldClient and WebConfig
services via a long URL.

WorldClient and WebConfig problems could appear in the same library,
so we should apply CD:SF-LOC.  But since these are separate
executables, but strongly related services, we should apply CD:SF-EXEC
as well.

SF-LOC.2 and SF-LOC.3 do not apply, because there is no source code
available.  SF-LOC.4 does not apply.

SF-LOC.5 suggests MERGE.  SF-LOC.6 does not apply.  SF-LOC.7 suggests
MERGE.

SF-EXEC.1, SF-EXEC.2, and SF-EXEC.3 do not apply.

SF-EXEC.4 suggests MERGE.  SF-EXEC.5 does not apply.  SF-EXEC.6
suggests MERGE.  SF-EXEC.7 does not apply.


CD:SF-LOC and CD:SF-EXEC both suggest merge.  This is in direct
conflict with the recommendations by several voters on this candidate,
as well as the Bugtraq database.  However, the exploit as coded by
USSR is the same.

*********************************************

CAN-1999-0948: Buffer overflow in uum program for Canna input system
  allows local users to gain root privileges.

CAN-1999-0949: Buffer overflow in canuum program for Canna input
  system allows local users to gain root privileges.

Should these 2 candidates be merged?

There could be a library situation here, because both are exploitable
through command line options, and command line parsing is sometimes
handled by library code.  So SF-LOC and SF-EXEC should both be
applied.

SF-LOC.2 and .3 do not apply.  There do not appear to be any patches,
so SF-LOC.4 does not apply.  SF-LOC.5 does not apply because there
isn't particularly strong evidence.  SF-LOC.6 gets hairy.  How
different is an exploitation of one command option versus a different
one?  Let's say that the exploitation is similar.  Then SF-LOC.7
suggests that these should be MERGED.  SF-LOC.8 doesn't apply.
SF-LOC.9 suggests MERGE, assuming we haven't decided whether we can
apply SF-LOC.6 or SF-LOC.7.

SF-EXEC.2 and SF-EXEC.3 do not apply.  SF-EXEC.4 is hairy, like
SF-LOC.6.  SF-EXEC.5, SF-EXEC.6, and SF-EXEC.7 do not apply.
SF-EXEC.9 suggests MERGE as a fallback.


*** This example makes clear that SF-EXEC and SF-LOC could be more
    precise about whether there's a "significant difference" in an
    exploitation or not.

Follow-Ups:
- Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
  - From: Bill Fithen <wlf@cert.org>
- Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
  - From: aleph1@securityfocus.com

Prev by Date: [CD] CD Proposal: VOTE (Voting Requirements)
Next by Date: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
Prev by thread: Re: [CD] CD Proposal: VOTE (Voting Requirements)
Next by thread: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

[CD] CD Proposal: SF-LOC (Software flaws in different lines of code)