[VIM] ZDI-13-132 and a CVE?

[ZDI Disclosures]

Hello,

We have pushed both Oracle and Microsoft for CVEs on their 
"security/defense-in-depth" advisories to no avail. We consider the 
matter closed between ZDI and these vendors.

Regards
The ZDI Team

On 8/18/2013 12:47 AM, security curmudgeon wrote:
>
> : > On Fri, Aug 16, 2013 at 09:37:13AM -0500, ZDI Disclosures wrote:
>
> : > This was released as a "security in depth" bulletin. As such it does
> : > not have a CVE assigned.
> : >
> : > This is also true of ZDI--13-193 for Microsoft (although they call
> : > it "defense in depth").
>
> On Sat, 17 Aug 2013, Henri Salo wrote:
>
> : The specific flaw exists within the java.security.KeyStore class. The issue lies
> : in the execution of a user-supplied callback in a privileged context. An
> : attacker can leverage this vulnerability to execute code under the context of
> : the current process.
>
> : This definitely sounds like it needs a CVE or multiple CVEs. In my
> : opinion security in depth does not mean it's not a fix for a
> : vulnerability. Other opinions/comments?
>
> Agreed.
>
> ZDI has a solid history of releasing quality material, and no wildly
> inaccurate vuln reports. If ZDI releases an advisory that implies code
> execution, and Oracle dismisses it with "defense in depth", then I fully
> believe Oracle either doesn't understand the issue, or is intentionally
> downplaying it. Oracle has an occasional history of not handling
> researcher disclosures the best, and has a solid history of not
> understanding vulnerability impacts, as evidence by their frequently
> inaccurate CVSS scoring.
>
> ZDI, please consider pressing Oracle on this matter. Even if you don't, I
> believe that this, and any other issue like this (as I think there were
> others where a CVE wasn't issued) deserve a CVE ID.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20130828/a0c1ea34/attachment.html>