[VIM] "does not do X" versus "does not properly do X"

Steven M. Christey coley at mitre.org
Mon Feb 13 01:47:27 EST 2006


All,

As developers have attempted to perform input validation, the number
of errors in input validation is increasing.  The incomplete blacklist
problem I wrote about a couple weeks ago was one example.

I think it's useful/important to make distinctions between when
someone *tries* to implement a protection scheme, versus when there
*is no* protection scheme.  CVE description style has evolved slightly
because of that.

If a product tries to do X, but fails, then we say it "does not
properly" do X.

If a product does not even TRY do do X, then we say it "does not" do
X.

Example:

  http://lkml.org/lkml/2005/12/23/171

The vendor says "We must check for MAY_SATTR before setting acls,
which includes checking for read-only exports: the lower-level
setxattr operation that eventually sets the acl cannot check
export-level restrictions."

It doesn't say that they check for "MAY_SATTR" in some weird broken
way; they simply don't do it.  And you can confirm this by looking at
their patch.

Therefore the CVE desc for this would say something like "Product does
not check for MAY_SATTR..."

===

Now look at this issue:

  http://www.kapda.ir/advisory-231.html

The issue is related to a count value for the number of pings to send.

The researcher says:

  "the scripts only allows you to send 10 or 4 pings... Maximum for
  count is: 10"

But then the researcher says: "You can bypass the ping count
restriction by just making the count value negative."


So here, the product TRIES to check the number of pings, but it screws
up a little bit.

So, the CVE desc is "product DOES NOT PROPERLY verify the number of
pings..."



- Steve


More information about the VIM mailing list