Re: Qualcom (and other) Android CVE IDs

To: <pmeunier@cerias.purdue.edu>, Kurt Seifried <kseifrie@redhat.com>
Subject: Re: Qualcom (and other) Android CVE IDs
From: Art Manion <amanion@cert.org>
Date: Wed, 14 Jun 2017 16:40:58 -0400
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: Kurt Seifried <kseifried@redhat.com>, Beverly Finch <beverlyfinch@lenovo.com>, "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Wed Jun 14 19:36:17 2017
Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu v5EKf3w7017021
In-reply-to: <1497470931.20438.62.camel@cerias.purdue.edu>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <727d6fc8-3f49-ff1d-ff47-8540ee508062@cert.org> <533c17ad-da8e-6c2f-53fd-8415ecf6b736@redhat.com> <63507D25FF3F774F9AA912018147F1DB0108606DB9@USMAILMBX01> <CANO=Ty1aH3xXKL2d+Q1wY_D9Gz=oCmf84jGPRCXUAavWp453Lg@mail.gmail.com> <1497466508.20438.47.camel@cerias.purdue.edu> <91CED5B7-84BF-492F-B555-E00789354423@redhat.com> <1497470931.20438.62.camel@cerias.purdue.edu>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.1.1

On 2017-06-14 16:08, Pascal Meunier wrote:

> Identification is our mission;  source code commits are awesome for 
> that
> and in that case I'd suggest saying "but in (a) different (part of 
> the)
> code than CVE-... (commit links forthcoming)".  That would be
> exceptionally good. 

Or name a function even, if that's an appropriate level of abstraction 
at which to differentiate.

> I believe impact isn't necessary for identification, although it can
> help.  Sometimes the impact can be up to someone with enough 
> imagination
> to get something else to happen.  So if we rely on impact as the only
> thing differentiating a CVE from another, or a crucial (required)
> identification factor, then the CVE entries could be on shifting
> grounds.

Agree.  Identification (and sufficient de-duplication) is the main 
goal, technical impact is (strongly?) preferred but optional.

 - Art

Follow-Ups:
- Re: Qualcom (and other) Android CVE IDs
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Qualcom (and other) Android CVE IDs
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>

References:
- Qualcom (and other) Android CVE IDs
  - From: Art Manion <amanion@cert.org>
- Re: Qualcom (and other) Android CVE IDs
  - From: "kseifried@redhat.com" <kseifried@redhat.com>
- RE: Qualcom (and other) Android CVE IDs
  - From: Beverly Finch <beverlyfinch@lenovo.com>
- Re: Qualcom (and other) Android CVE IDs
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Qualcom (and other) Android CVE IDs
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Qualcom (and other) Android CVE IDs
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>

Prev by Date: Re: Qualcom (and other) Android CVE IDs
Next by Date: Re: Qualcom (and other) Android CVE IDs
Previous by thread: Re: Qualcom (and other) Android CVE IDs
Next by thread: Re: Qualcom (and other) Android CVE IDs
Index(es):
- Date
- Thread