[Toybox] CVEs

enh enh at google.com
Sun Feb 19 14:33:21 PST 2023 

On Sun, Feb 19, 2023, 07:45 Rob Landley <rob at landley.net> wrote:

> On 2/18/23 23:06, enh via Toybox wrote:
> > on your blog, you said:
> > """
> > Wait... really? There's a toybox CVE for httpd? (Yeah I remember
> > fixing that bug, but was it really worth a Charged Vacuum Emboitment?)
> > """
> >
> > given that the original bug on github explicitly had the "found by
> > $FOO of $BAR" boilerplate that you tend to see from security
> > researchers who file these things for a living, i assume they also
> > filed the CVE so they can claim priority if anything ever does come of
> > this bug. (this is one reason why consumers of CVEs have their own
> > people to try to determine the relevance/severity _to them_.)
> >
> > if you ever get a "real" CVE -- one that's "obviously" important --
> > they'll probably mail you directly rather than zero-day you via the
> > github issue tracker :-)
>
> Eh, it's hard to tell what is and isn't relevant when exploits wind up
> chaining
> together 13 different minor things, but the command was less than a year
> old,
> static-only, doesn't work as a standalone daemon and I haven't shipped an
> actual
> inetd yet, and I thought exposing an external port on an android device
> required
> some sort of blood sacrifice from AT LEAST three different types of animal?
>
> It was more an "is... is somebody already _using_ this?" (It was promoted
> on
> April 24, the segfault was reported and fixed May 29. They had something
> like 35
> days to notice...)
>

my default assumption is "no", given the source was a researcher, and given
that the report was public. if it was a user, the default assumption
is"yes", but a researcher probably just has the project in the corpus they
run a static analyzer or fuzzer or test suite against.

this is why there's such a secondary and tertiary industry of "sure, but
does it *matter*?".

I shouldn't be surprised it's RFC logic, publish the slush pile and let
> somebody
> else filter out an interesting subset.


i'm not saying anything about this particular researcher, but, yeah, that
seems to be how the business works. (there are folks who're much more
directed, google's one being "project zero", but those kinds of researcher
tend to contact you privately.)

(So what does Mitre do then? Other than
> provide another layer of indirection for laundering black budgets, which
> is like
> half of Arlington's economy and probably a good chunk of Alexandria...)
>

just naming consistency, afaict... in the modern world where everything is
made up of other things, libfoo bug 123 might be android bug 456 and ios
bug 789 and windows bug 666 or whatever, so it's (somewhat) handy to (some
people) if there's a CVE 2357 that everyone can refer to and know they're
taking about the same thing.

Rob
> _______________________________________________
> Toybox mailing list
> Toybox at lists.landley.net
> http://lists.landley.net/listinfo.cgi/toybox-landley.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.landley.net/pipermail/toybox-landley.net/attachments/20230219/fd2b059a/attachment.htm>

More information about the Toybox mailing list