Hacker News new | past | comments | ask | show | jobs | submit login

Can you post the original definition?



Common Vulnerabilities and Exposures


Right but I was hoping for a definition which supports OP's claim that "CVE assignment != security issue".


Then check out these definitions, from 2000, defined by the CVE editorial board:

> The CVE list aspires to describe and name all publicly known facts about computer systems that could allow somebody to violate a reasonable security policy for that system

As well as:

> Discussions on the Editorial Board mailing list and during the CVE Review meetings indicate that there is no definition for a "vulnerability" that is acceptable to the entire community. At least two different definitions of vulnerability have arisen and been discussed. There appears to be a universally accepted, historically grounded, "core" definition which deals primarily with specific flaws that directly allow some compromise of the system (a "universal" definition). A broader definition includes problems that don't directly allow compromise, but could be an important component of a successful attack, and are a violation of some security policies (a "contingent" definition).

> In accordance with the original stated requirements for the CVE, the CVE should remain independent of multiple perspectives. Since the definition of "vulnerability" varies so widely depending on context and policy, the CVE should avoid imposing an overly restrictive perspective on the vulnerability definition itself.

Under this definition, any kernel bug that could lead to user-space software acting differently is a CVE. Similarly, all memory management bugs in the kernel justify a CVE, as they could be used as part of an exploit.


> to violate a reasonable security policy for that system

> with specific flaws that directly allow some compromise of the system

> important component of a successful attack, and are a violation of some security policies

All of these are talking about security issues, not "acting differently".


> important component of a successful attack, and are a violation of some security policies

If the kernel returned random values from gettime, that'd lead to tls certificate validation not being reliable anymore. As result, any bug in gettime is certainly worthy of a CVE.

If the kernel shuffled filenames so they'd be returned backwards, apparmor and selinux profiles would break. As result, that'd be worthy of a CVE.

If the kernel has a memory corruption, use after free, use of uninitialized memory or refcounting issue, that's obviously a violation of security best practices and can be used as component in an exploit chain.

Can you now see how almost every kernel bug can and most certainly will be turned into a security issue at some point?


> All of these are talking about security issues, not "acting differently".

Because no system has been ever taken down by code that behaved different from what it was expected to do? Right? Like http desync attacks, sql escape bypasses, ... . Absolutely no security issue going to be caused by a very minor and by itself very secure difference in behavior.


> that could allow somebody to violate a reasonable security policy for that system

That's "security bug". Please stop saying it's not.


As detailed in my sibling reply, by definition that includes any bug in gettime (as that'd affect tls certificate validation), any bug in a filesystem (as that'd affect loading of selinux/apparmor profiles), any bug in eBPF (as that'd affect network filtering), etc.

Additionally, any security bug in the kernel itself, so any use after free, any refcounting bug, any use of uninitialized memory.

Can you now see why pretty much every kernel bug fulfills that definition?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: