About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Adoption
CVE-Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 13 Jun 2000 12:16:18 -0400 (EDT)
Delivery-Date: Tue Jun 13 12:16:31 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

Bill Fithen said:

>> *4) If P1 and P2 are not fixed by the same patch or set of patches,
>>     then they must remain SPLIT.
>

>I think this rule is inappropriate for CVE's purposes...  Vendors
>package software according to the rules of their business, not
>according to the technical content of the software...
>most of the ones following this one are focused on the nature of the
>vulnerability and the related software engineering practice that
>produced it. This rule is not.

I agree that this rule is less precise and reliable than the previous
ones.  However, while attempting to apply SF-LOC and SF-EXEC over the
past year while devloping CVE, there are *many* cases in which nobody
but the software vendor can really answer the question of whether or
not something is the same bug.  This problem is exacerbated by the
fact a lot of the software doesn't come with source code that one
could analyze, and the lack of detail is a significant bottleneck for
us when creating and reviewing candidates.  Thus some of these other
rules are trying to deal with that lack of information.

Casper Dik and David LeBlanc have effectively reinforced the
importance of the vendor in really understanding a problem.  See the
voting records on CAN-2000-0317 and CAN-1999-0818, for example:

  http://cve.mitre.org/cgi-bin/cvename.cgi?CAN-2000-0317
  http://cve.mitre.org/cgi-bin/cvename.cgi?CAN-1999-0818

For example, CAN-1999-0818 is reported as a problem in kcms_configure
in the original source as well as the Security Focus and X-Force
vulnerability databases, but Casper indicated that it's really a
library problem.  (This is not to be critical of those databases of
course, and the descriptions as written get the point across, but they
do omit a detail that could be useful in the "deep analysis" that's
required to *really* understand the nature of the problem.)

We can't get this level of participation (and honesty?) from every
vendor.  Since I started recording vendor acknowledgement in CMEX,
almost HALF of the active candidates don't even have any concrete
acknowledgement from the vendor.  And as we all know, some vendors
publish extremely sparse advisories with no details at all.

So some of these rules, while moving away from looking at the bug
itself, are designed to find "supporting evidence" that will help us
to make a reasonably explainable (and repeatable) decision in the
absence of good facts.  That said, the fact that patches are
implemented differently might require at least a reordering of the
"evidence" rules.

- Steve

Follow-Ups:
- Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
  - From: aleph1@securityfocus.com

Prev by Date: RE: [CD] CD Proposal: VOTE (Voting Requirements)
Next by Date: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Prev by thread: Argh! Re: [CD] CD Proposal: SF-EXEC (Software flaws in multiple executables)
Next by thread: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007