Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability

To: adam@netect.com
Subject: Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability
From: Gene Spafford <spaf@cs.purdue.edu>
Date: Wed, 30 Jun 1999 09:40:05 -0500
Cc: cve-review@linus.mitre.org
In-Reply-To: <19990629174613.E6663@pueblo.netect.com>
References: <199906282043.QAA10979@basie.mitre.org><19990629134705.Q19781@underground.org><v0420552cb39ee11cd97a@[128.10.104.66]><19990629174613.E6663@pueblo.netect.com>
Reply-To: spaf@cs.purdue.edu

At 5:46 PM -0400 6/29/99, Adam Shostack wrote:
>
>I suggest that the proper distinction is made when either we know or have
>solid reason to believe the code is different, and when the bug is not
>widespread across a large number of platforms.
>
>Thus, Spaf's question has an answer or one, and mine has an answer of
>three.

Actually, my answer would be three, too.

>
>| Suppose I send a carefully crafted set of packets to your Linux box.
>| Version 93.7 crashes, and version 93.8 lets me on as root.  The only
>| difference between the two is that some code in the disk driver was
>| changed.   Is this two CVE entries or one?
>
>Two.

And here I would answer 1.    :-)


--spaf

References:
- Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
  - From: "Steven M. Christey" <coley@linus.mitre.org>
- Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
  - From: Aleph One <aleph1@underground.org>
- Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability
  - From: Gene Spafford <spaf@cs.purdue.edu>
- Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
  - From: Adam Shostack <adam@netect.com>

Prev by Date: RE: CVE Review meeting at MITRE, this August 11-12?
Next by Date: RE: Cluster 02: VEN-AIX
Prev by thread: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
Next by thread: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
Index(es):
- Date
- Thread