[Secure-testing-team] Proposal: new tags

Joey Hess joeyh at debian.org
Wed Sep 14 16:30:14 UTC 2005 

Florian Weimer wrote:
> REJECTED, RESERVED, NOT-FOR-US replace the corresponding "NOTE:"
> variants.  Parsing the old tags is rather fragile because NOTE: is
> essentially a free-form field, so we often miss spelling errors.  (The
> old tags remain valid, though -- there is no need to replace them at
> this point.)

Good idea on rejected and reserved. Not sure about not-for-us, part of
the resaon we put the name of the software in parens is to aid finding
bugs in software if it does end up entering Debian later on. This
information can be hard to get from CAN descriptions otherwise. Also to
record what software name we checked for in Debian, in case it turns out
we didn't look for the right thing or something like that. So I think
it's worthwhile to continue including that information in not-for-us.

> "INVALID" means that the bug report is known to be false.  For
> example:
> 
> CVE-2003-0024
> 	INVALID
> 	NOTE: I have mailed Goran Weinholt <weinholt at debian.org> about this. 
> 	NOTE: Goran Weinholt <weinholt at debian.org> tell me that aterm 0.4.2 was 
> 	NOTE: never vulnerable to the problem described.
> 	NOTE: this CVE is bogus.

Not sure how this is better than just the NOTEs by themselves.

> "NOT-A-BUG" means that the bug report is factually correct, but we do
> not view this as a vulnerability.  Example:
> 
> CAN-2005-2541 (Tar 1.15.1 does not properly warn the user when extracting setuid or ...)
> 	NOT-A-BUG
> 	NOTE: This is intended behaviour, after all tar is an archiving tool and you
> 	NOTE: need to give -p as a command line flag

This is already handled by the "unimportant" severity, which also lets
us cross-reference to the bug report in case we want to revisit it
later.

> "IRREPRODUCIBILE" means that we have made reasonable effort to
> reproduce the bug (mailing list research, rough source code audit, a
> few exploit attempts), but we haven't found any evidence that it's
> actually there (or has been fixed in the past).  For example:
> 
> CAN-2001-1429 (Buffer overflow in mcedit in Midnight Commander 4.5.1 allows local ...)
>         IRREPRODUCIBILE
> 	NOTE: I could track this down to this posting
> 	NOTE: http://cert.uni-stuttgart.de/archive/vuln-dev/2001/11/msg00104.html
> 	NOTE: This looks very obscure an does not contain useful information on how this
> 	NOTE: was triggered and even then it's not a problem, as mcedit usage does not
> 	NOTE: have a remote impact and is not suid

What's the value in having this be machine parseable?

-- 
see shy jo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050914/123e54b0/attachment.pgp

More information about the Secure-testing-team mailing list