Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 13 Jun 2000 12:26:20 -0400 (EDT)
Delivery-Date: Tue Jun 13 12:26:34 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org

Some corrected URLs for the candidates:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0317
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0818

As an addendum, patches that are described in *source code* are much
more concrete and often give enough details for one to distinguish
between two problems, so I believe they can play a factor in this.  If
you see a patch that cleanses user input before feeding it to a
system() call, and changing a strcpy() to a strncpy() at some
different point in the code, then I'd say that's pretty good evidence
that they were patching a buffer overflow problem and a shell
metacharacter problem, which according to CD:SF-LOC should thus be
separated.

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0001 for an
example in which a sparsely worded advisory is distinguished from
other candidates by looking at the patches.  Yes, the very first
candidate ever assigned has been held up by content decisions and lack
of information! ;-)

- Steve

Prev by Date: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Next by Date: Re: [CD] CD Proposal: VOTE (Voting Requirements)
Prev by thread: Re: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Next by thread: RE: [CD] CD Proposal: SF-LOC (Software flaws in different lines of code)
Index(es):
- Date
- Thread