[Secure-testing-team] [Secure-testing-commits] r14905 - data/CVE

Michael Gilbert michael.s.gilbert at gmail.com
Mon Jul 5 20:31:25 UTC 2010 

On Mon, 5 Jul 2010 19:37:50 +0200 Nico Golde wrote:

> Hi,
> * Michael Gilbert <gilbert-guest at alioth.debian.org> [2010-06-25 09:49]:
> [...] 
> > @@ -20840,7 +20926,8 @@
> >  CVE-2009-0375 (Buffer overflow in a DLL file in RealNetworks RealPlayer 10, ...)
> >  	NOT-FOR-US: RealPlayer
> >  CVE-2009-0374 (** DISPUTED ** ...)
> > -	- chromium-browser (unimportant)
> > +	- chromium-browser <unfixed> (low)
> > +	- webkit <not-affected> (poc doesn't work)
> 
> Every serious security researcher/enthusiast should question himself if a note 
> such as "poc doesn't work" is acceptable. Imho it's not, it's a PoC, nothing 
> more. If a PoC doesn't work that doesn't mean there is no vulnerability. Such 
> notes are also not acceptable for the security tracker. If it can't work 
> because of something else or there is more reasoning behind that, please note 
> it and be verbose.

transfering the discussion from irc since i just found the topic
brough up here as well.

disclaimer: the case under consideration has been deemed unimportant.

in this particular case (as with many chrome CVEs), the only reference
available is the proof-of-concept.  lacking any other source of
information, direct testing of the poc is really the only thing that
can be done.

also, in this particular case, testing the poc makes it very clear that
chrome is affected whereas webkit is not.  i tested other webkit-based
browsers and they take me to yahoo when clicking the malicious link (as
specified when hovered over), but chrome takes me to a non-yahoo link
(even though it says yahoo when hovered over).  this, i believe, is a
sufficiently quantifiable difference to state that chrome is affected
while webkit itself isn't.

the results from my poc testing been pretty clear for all of the cases
i've run into so far involving webkit and chrome, so i'm not convinced
that any change is needed.  if a chrome poc fails when tested against
webkit, i plan to continue to declare webkit not-affected because of
that.

if there is concrete evidence that this is insufficient, i am willing
to reconsider, but at this point, i'm not convinced.

best wishes,
mike

More information about the Secure-testing-team mailing list