[Secure-testing-team] Comparing NVD and Debian CVE tracking

Michael Gilbert michael.s.gilbert at gmail.com
Fri Jan 28 16:31:38 UTC 2011 

On Fri, 28 Jan 2011 01:18:07 +0100, Petter Reinholdtsen wrote:
> The first reported issue  inform that
> <URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4530 >
> list cpe:/a:muscle:pcsc-lite (Debian source package pcsc-lite) as
> affected, but the CVE entry for Debian do not say anything about this
> package.  The latter look like this:
> 
>   CVE-2010-4530 (Signedness error in ccid_serial.c in libccid in the
>   USB Chip/Smart ...)
> 	- ccid 1.3.11-2 (unimportant; bug #607780)
> 	NOTE: CVE requested, http://seclists.org/oss-sec/2010/q4/356
> 	NOTE: Theoretical attack

That's because the affected code is not present in the debian pcsc-lite
source package.  It's in the ccid driver source package instead.  I
checked this when I created the original entries for these issues. It
may be that the two separate debian source packages are part of the same
upstream release? If so, you'll need to update the CPE list to reflect
that.

> I have not evaluated these issues, and would very much like feedback
> on this approach.  I am aware that these issues might be bugs in
> either NVD or in the Debian CVE info, and believe the only way to
> figure out is to check each one.
> 
> Here is the complete list of such issues for the time period
> 2011-2008.  There are 93 such issues reported at the moment.

This is a good list, and I'll take a look at it in a bit more detail
when I have some free time.  Right now, I see a couple issues:

1. According to Moritz, flash player should not be tracked (even though
there is a Debian package in non-free).  Personally, I think all
packages in the Debian archives should be tracked, but I defer to his
judgment on this.

2. The description for CVE-2009-3976 seems to implicate labtam proftp,
not proftpd, so the CVE entry is likely wrong if it
references /a:proftpd:proftpd.  Not sure how that is corrected?  A
message to oss-security?

4. Similar for CVE-2008-4395, the linux kernel itself shouldn't be in
the NVD entry since its an issue in the separate ndiswrapper module.

3. There has been a lot of churn in the mozilla source package name, so
that may explain a lot of those; though I'll have to look at that in
more detail.

4.  swftools has been removed, so it shouldn't show up there.

Thanks for compiling this.

Best wishes,
Mike

More information about the Secure-testing-team mailing list