Are Huntr Vim bugs being assigned CVEs?
36 views
Skip to first unread message
Mark Esler
Dec 13, 2022, 2:01:39 AM12/13/22
to vim_dev
Hi all,
There are some bugs on huntr that are labeled as "This vulnerability will not receive a CVE", but then later receive a CVE. (e.g., https://huntr.dev/bounties/a5a998c2-4b07-47a7-91be-dbc1886b3921/ )
Bugs that are not security issues should not receive CVEs. Some of the text on huntr's website makes it feel that they treat all *bug* reports as (security) vulnerabilities.
Is this intentional?
(earlier I did a quick check and ~half of the bugs were receiving CVEs. Huge thanks to Bram for handling all of these and making concise patches that include tests.)
Thank you,
Mark Esler
Mark Esler
Mark Esler
Jan 17, 2023, 4:12:14 PM1/17/23
to vim_dev
Dear Bram,
Could you please let me know if you consider every Vim bug report on Huntr.dev a security issue? Should Huntr.dev be assigning a CVE to every bug report?
Thank you,
Mark Esler
Could you please let me know if you consider every Vim bug report on Huntr.dev a security issue? Should Huntr.dev be assigning a CVE to every bug report?
Thank you,
Mark Esler
Bram Moolenaar
Jan 21, 2023, 6:42:49 AM1/21/23
to vim...@googlegroups.com, Mark Esler
Mark Esler wrote:
> Could you please let me know if you consider every Vim bug report on
> Huntr.dev a security issue? Should Huntr.dev be assigning a CVE to every
> bug report?
script. Once the user sources that script, it can do anything, no bug
is required to do something harmful. Theoretically the user could look
at the script to check what it is doing, but in practice we can expect
this doesn't happen. Thus there is always the risk of a trojan horse.
This is different from when the problem could be triggered by editing a
text file that has been manipulated. There have been cases where a
problem is triggered by a modeline in a text file, that is a much more
serious security issue. I don't recall such a problem being reported on
huntr.
--
hundred-and-one symptoms of being an internet addict:
31. You code your homework in HTML and give your instructor the URL.
/// Bram Moolenaar -- Br...@Moolenaar.net -- http://www.Moolenaar.net \\\
/// \\\
\\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
Mark Esler
Jan 23, 2023, 3:27:40 PM1/23/23
to Bram Moolenaar, vim...@googlegroups.com
Hi Bram,
Thanks for your explanation!
Appreciate the patches you write a lot.
Best regards,
Mark Esler
Thanks for your explanation!
Appreciate the patches you write a lot.
Best regards,
Mark Esler
Reply all
Reply to author
Forward
0 new messages