From owner-freebsd-security@FreeBSD.ORG  Wed Nov 19 09:13:08 2008
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 343B11065673;
	Wed, 19 Nov 2008 09:13:08 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45])
	by mx1.freebsd.org (Postfix) with ESMTP id C9FA48FC1B;
	Wed, 19 Nov 2008 09:13:07 +0000 (UTC)
	(envelope-from rea-fbsd@codelabs.ru)
DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru;
	h=Received:Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:Content-Type:Content-Disposition:In-Reply-To:Sender;
	b=JTe3nU3C2lgaQ4J+6zx/9+dM9I21e0mLjgfiYieiRXE5HbYWCckUZBstBdZBYs+kz+fC7hbiOhVaAbGophcloAjJE7zxDrWoWQud4n2Ex+6fJQ8V1wTLW/GYZoBvFUFM0Whrm3VQ2q/CKNwOyP09cx0S6N/3/Iix2I/OwQFBdUI=;
Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25])
	by 0.mx.codelabs.ru with esmtpsa (TLSv1:AES256-SHA:256)
	id 1L2j7R-000KBw-9n; Wed, 19 Nov 2008 12:13:05 +0300
Date: Wed, 19 Nov 2008 12:13:03 +0300
From: Eygene Ryabinkin <rea-fbsd@codelabs.ru>
To: "Steven M. Christey" <coley@linus.mitre.org>
Message-ID: <U6qbEr86yzGsiKNIeinaa2qfV5g@d6yCabBfxdg3ct+c9Yg+gwcLjj0>
References: <20081118103433.38D5817115@shadow.codelabs.ru>
	<4922B371.6070002@quis.cx>
	<TqoTo5jliabZzOUld/zrRy5vtzI@+C9avPjAe6kfv7rH+xyHzR2RFw8>
	<4922B6F9.2000408@quis.cx>
	<9a6isDG2HABVFiTQKRYgHLbugj0@N7cbPDipnvOyJMD9YzFbYf8QNqE>
	<Pine.GSO.4.51.0811180957530.22800@faron.mitre.org>
	<HFT9UPqQxMKr5hueUanFpyCwPgI@BWOFZFtpv6375xxU2Y12WR4LQqg>
	<Pine.GSO.4.51.0811181449170.22800@faron.mitre.org>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="CSNFvL6ilyiKL/Hs"
Content-Disposition: inline
In-Reply-To: <Pine.GSO.4.51.0811181449170.22800@faron.mitre.org>
Sender: rea-fbsd@codelabs.ru
Cc: Jille Timmermans <jille@quis.cx>, bug-followup@freebsd.org,
	freebsd-security@freebsd.org, cve@mitre.org, mloveless@mitre.org,
	coley@mitre.org
Subject: Re: ports/128956: [patch] [vuxml] multiple vulnerabilities in PHP
	5.2.6
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2008 09:13:08 -0000


--CSNFvL6ilyiKL/Hs
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Steven,

Tue, Nov 18, 2008 at 02:50:59PM -0500, Steven M. Christey wrote:
> > So, the VuXML entry should be changed accordingly.  New content is
> > attached.
>=20
> Just for my own understanding, did the erroneous CVE description cause any
> extra work on your part?

No "extra" work.  I had just copied the description from CVE and forgot
to change errorneous "5.6" to something more sane.  Jille was kind to
point me to this.  But it was not clear where in 5.x line the error was
introduced.  I had crawled via the PHP CVS and had found that it was
there for the whole 5.x line.

> What if the desc had only said "5.2 through 5.2.6" at first?

I think I will ask myself something like "OK, but what about PHP 5.0 and
5.1?  Are they vulnerable?"  In principle, I _had_ asked myself about it
and had traced the code via sources back to at least 4.x, so I had
written '<=3D5.2.6_3' as the vulnerable version specification the VuXML
entry.  I just forgot to change the description.

> I'm asking because I'm trying to understandind how people use CVE and what
> impact our errors might have on others.

It may vary, of course.  Typically, I am trying to validate CVE
descriptions via some other sources, most used are vendor changelogs
and original advisories.  Source code crawling is good too, but it
may be unavailable or a bit uneasy.  I think that generally people
tend to trust CVE entries, but checking is always good ;))
--=20
Eygene
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual  =20
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook=20
    {_.-``-'         {_/            #

--CSNFvL6ilyiKL/Hs
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)

iEYEARECAAYFAkkj2J8ACgkQthUKNsbL7YgFdgCeL2yT5t85ZDSAOAcN/2gQjj6A
jO4An2vGA8iC5XAGiYJaLF0wohi5Rc+z
=wsRE
-----END PGP SIGNATURE-----

--CSNFvL6ilyiKL/Hs--