[Secure-testing-team] [Secure-testing-commits] r12530 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Mon Aug 10 15:56:16 UTC 2009
Hi,
* Michael S. Gilbert <michael.s.gilbert at gmail.com> [2009-08-10 06:33]:
> On Sun, 9 Aug 2009 13:55:11 +0000 Nico Golde wrote:
[...]
> > CVE-2009-XXXX [xscreensaver: local screen lock bypassable via low resolution video devices]
> > - - xscreensaver <unfixed> (high; bug #539699)
> > + - xscreensaver <unfixed> (low; bug #539699)
> > CVE-2009-XXXX [php5: remote information disclosure]
> > - php5 <unfixed> (medium; bug #540605)
> > TODO: determine affected versions
>
> i must respectfully disagree. from a software point-of-view, yes, this
> is a problem with specific corner case for some random special screen
> resolution.
>
> however, from an attackers perspective, this kind of weakness is a
> goldmine. simply gain physical access your target (which, yes, may be
> the hard part), plug in your misbehaving video device, and you're in.
> its just way too easy.
I can't think of a video device that automagically lowers
your display resolution just by plugging it in. Besides that
if an attacker has physical access to the host you are
almost always screwed anyway.
> also from the 'severity levels' section of the narrative_introduction:
>
> high: a typical, exploitable security problem, which you'll really
> like to fix...
>
> this is very exploitable, and hence should be fixed quickly.
Having a high exploitability score (speaking in NVD terms)
doesn't mean the impact is high. In this case it doesn't
affect almost all users and that's not what I'd consider
high. Our notation here is a bit limited but to me high
implies, easy to exploit, affects a wide range of users and
from an victim perspective the impact is very high or only
the latter and the exploitability doesn't matter (if it's
even possible to write that down in a few sentence, even the
CVSS scores are flawed).
> i'd also like to think of it from a regular user's perspective.
> i.e. if this were to be prominantly discussed in an article or
> magazine, how much of a reaction would there be? how much would it concern the
> readers that there is a known problem like this with their system that
> they can do nothing to prevent?
Sorry, I have no idea what else can I say apart from this
doesn't affect most of our users.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090810/072d5a79/attachment.pgp>
More information about the Secure-testing-team
mailing list