[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)

To: Solar Designer <solar@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
From: VSR Advisories <advisories@xxxxxxxxxxxxx>
Date: Tue, 27 Mar 2012 12:18:33 -0700

Hi Alexander,

As a researcher, I find the distros list a useful resource to enable quick and
simultaneous notification of many open source OS distributions.


> When it became apparent that this was to be violated since one or two of 
> the affected upstreams wanted much more time, the reporter (Timothy D. 
> Morgan of VSR Security) explained that at the time of his initial 
> notification he had thought that 14 days would in fact be enough.  While 
> this sounds like a rather fundamental problem with a maximum embargo time 
> policy (it is always possible that something new is discovered during 
> discussion, which may invalidate the initial time estimate of the 
> reporter), I've just added the following verbiage to hopefully reduce the 
> number of such occurrences going forward:
> 
> "If you have not yet notified upstream projects/developers of the affected 
> software, other affected distro vendors, and/or affected Open Source 
> projects, you may want to do so before notifying one of these mailing
> lists in order to ensure that these other parties are OK with the maximum
> embargo period that would apply (and if not, then you may have to delay
> your notification to the mailing list), unless you're confident you'd
> choose to ignore their preference anyway and disclose the issue publicly
> soon as per the policy stated here."

I think this is a good idea.  I likely misunderstood the process you want
researchers to follow when it comes to using the distros list.  While I think
the time to release for this issue was excessive, I should have nailed down a
release date with the upstreams prior to notifying the distros list.


I'll reserve some additional comments for the oss-security list exclusively.

Thanks,
tim

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
  - From: VSR Advisories
- Re: [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
  - From: Solar Designer

Prev by Date: [Full-disclosure] [ MDVSA-2012:041 ] expat
Next by Date: [Full-disclosure] SEC Consult SA-20120328-1 :: Microsoft ASP.NET Forms Authentication Bypass - follow-up advisory - CVE-2011-3416
Previous by thread: Re: [Full-disclosure] CVE-2012-0037: libraptor - XXE in RDF/XML File Interpretation (Multiple office products affected)
Next by thread: [Full-disclosure] [SECURITY] [DSA 2440-1] libtasn1-3 security update
Index(es):
- Date
- Thread