[Secure-testing-team] Proposal: new tags
Florian Weimer
fw at deneb.enyo.de
Fri Sep 16 18:44:17 UTC 2005
* Moritz Muehlenhoff:
> I don't think this is needed. We can turn cases like these into
> REJECTED entries through our Mitre contact. Florian, did you find
> many cases like this?
See my message to Joey. I mainly want to do this to have a clean
resolution for each CVE entry (explicit package list, or a reason why
there isn't one).
> Besides, I think the main issue in this specific case is that it's not a
> vulnerability. So simply add it to not-affected as well and consider it an
> issue only for distributions that ship mcedit suid (i.e. none).
I think such bugs, if reproducible, are still security issues. Maybe
nobody uses mcedit as a pager or from mutt, but users have a
reasonable expectation that opening a file in an ordinary text editor
does not automatically execute code contained in that file.
More information about the Secure-testing-team
mailing list