Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <6609652.OIiHvm4qLd@wanheda>
Date: Tue, 29 Aug 2017 14:46:22 +0200
From: Agostino Sarubbo <ago@...too.org>
To: oss-security <oss-security@...ts.openwall.com>
Subject: A bunch of duplicate CVEs requested for?? bho..

Hi all.

In the last time there are some people that run afl for fuzzing...that's just 
fine and great. Some people miss to communicate their findings to upstream and 
request a CVE from mitre.
However I'm noticing that every day there are new duplicates, let me post some 
examples:

1) posted by owl337 on the redhat bugzilla, found by me months ago:

https://nvd.nist.gov/vuln/detail/CVE-2017-13753 duplicate of:
https://nvd.nist.gov/vuln/detail/CVE-2016-9396



The other recent examples here: http://i.imgur.com/q8g9SQi.png

2) Other duplicates are filed from qflb.wu which posts on full-disclosure.
http://seclists.org/fulldisclosure/2017/Jul/author.html
See about lame/mpg123/libmad
Some CVEs about lame was issued, also there are an high number of 
vulnerabilities never confirmed by upstream nor posted on their bug tracking 
system. Yes, sometimes I receive emails that say that the bug is not 
reproducible but I'm always trying to help to reproduce. Instead some report 
says: "If you want the poc please contact me at $email"

How to avoid to file duplicate? for the example number 1 just checking here:
https://marc.info/?l=oss-security&w=2&r=1&s=JPC_NOMINALGAIN&q=b
https://nvd.nist.gov/vuln/search/results?
adv_search=false&form_type=basic&results_type=overview&search_type=all&query=JPC_NOMINALGAIN


Another strange thing, time ago I discovered an FPE in lame, which happens 
only in the command-line tool:
https://blogs.gentoo.org/ago/2017/06/17/lame-divide-by-zero-in-parse_wave_header-get_audio-c/

After digging I discovered it was already reported by Brian Carpenter here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777159 which says:

"fortunately, this is all in the frontend code in
frontend/get_audio.c:parse_wave_header() and not in the library"

At the time I filed the CVE request I failed too see that it is not suitable 
for a CVE, follow what mitre said about:
"There is no CVE ID for this. Even if a web site runs the lame
command-line tool, a divide-by-zero error does not have any
availability impact for the web service, because the crash would occur
in an independent process."

Great..fine..that was my bad, but months later we have:
https://nvd.nist.gov/vuln/detail/CVE-2017-11720
"There is a division-by-zero vulnerability in LAME 3.99.5, caused by a 
malformed input file."
which points to:
https://sourceforge.net/p/lame/bugs/460/
Fortunately the author shared the poc and the password.

I'm providing (http://i.imgur.com/GDWnHRM.png) a screenshot md5sum-included to 
demonstrate that the issues are identically.


Does someone know:
1) How to avoid that CVE duplicates are issued?
2) Why the same issue was considered not-suitable and months later suitable 
for a CVE?

-- 
Agostino Sarubbo
Gentoo Linux Developer

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.