[Secure-testing-team] [Secure-testing-commits] r14905 - data/CVE
Nico Golde
debian-secure-testing+ml at ngolde.de
Mon Jul 5 22:38:42 UTC 2010
Hi,
* Michael Gilbert <michael.s.gilbert at gmail.com> [2010-07-05 22:32]:
> On Mon, 5 Jul 2010 19:37:50 +0200 Nico Golde wrote:
> > * Michael Gilbert <gilbert-guest at alioth.debian.org> [2010-06-25 09:49]:
> > [...]
> > > @@ -20840,7 +20926,8 @@
> > > CVE-2009-0375 (Buffer overflow in a DLL file in RealNetworks RealPlayer 10, ...)
> > > NOT-FOR-US: RealPlayer
> > > CVE-2009-0374 (** DISPUTED ** ...)
> > > - - chromium-browser (unimportant)
> > > + - chromium-browser <unfixed> (low)
> > > + - webkit <not-affected> (poc doesn't work)
> >
> > Every serious security researcher/enthusiast should question himself if a note
> > such as "poc doesn't work" is acceptable. Imho it's not, it's a PoC, nothing
> > more. If a PoC doesn't work that doesn't mean there is no vulnerability. Such
> > notes are also not acceptable for the security tracker. If it can't work
> > because of something else or there is more reasoning behind that, please note
> > it and be verbose.
>
> transfering the discussion from irc since i just found the topic
> brough up here as well.
>
> disclaimer: the case under consideration has been deemed unimportant.
disclaimer: i didn't work on this particular issue, i just read the references
and advisory.
> in this particular case (as with many chrome CVEs), the only reference
> available is the proof-of-concept. lacking any other source of
> information, direct testing of the poc is really the only thing that
> can be done.
>
> also, in this particular case, testing the poc makes it very clear that
> chrome is affected whereas webkit is not. i tested other webkit-based
> browsers and they take me to yahoo when clicking the malicious link (as
> specified when hovered over), but chrome takes me to a non-yahoo link
> (even though it says yahoo when hovered over).
This contradicts to what Guiseppe wrote in his mail stating that the PoC works
with *no* browser and this is a perfect example on why this description should
be more verbose.
[...]
> if there is concrete evidence that this is insufficient, i am willing
> to reconsider, but at this point, i'm not convinced.
I think my other mail in reply to Guiseppe already answers the rest. This mail
was not meant to enforce a description policy, but I'm sure we can do better.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20100706/54e9e9a6/attachment.pgp>
More information about the Secure-testing-team
mailing list