Re: [Secure-testing-commits] r16980 - data/CVE

[Johnathan Ritzi <jrdioko@gmail.com>]

Ok thanks, makes sense. I don't see anything in the introduction file about flagging things <undetermined>, when exactly should that be used? Does that apply to all Safari issues (there are 10-20 Safari issues still TODO: check).

-Johnathan

2011/7/25 Moritz Mühlenhoff <jmm@inutil.org>

On Mon, Jul 25, 2011 at 05:05:20AM +0000, Johnathan Ritzi wrote:
> Author: jrdioko-guest
> Date: 2011-07-25 05:05:20 +0000 (Mon, 25 Jul 2011)
> New Revision: 16980
>
> Modified:
>    data/CVE/list
> Log:
> First stab at processing issues (NFUs), please check my work!

Looks good, but two issues need to be corrected (it's very
complicated issue, though):

>  CVE-2011-0219 (Apple Safari before 5.0.6 allows remote attackers to bypass the Same ...)
> -     TODO: check
> +     NOT-FOR-US: Apple Safari
>  CVE-2011-0218 (WebKit, as used in Apple Safari before 5.0.6, allows remote attackers ...)
>       TODO: check
>  CVE-2011-0217 (Apple Safari before 5.0.6 provides AutoFill information to scripts ...)
> -     TODO: check
> +     NOT-FOR-US: Apple Safari

Safari uses the Webkit engine, which has also some shared codebase
with Chromium. As such, we treat all issues reported for Safari as
potentially affecting Webkit and Chromium by marking them as
<undetermined>. The Chromium and Webkit maintainers (who're also
on this list), check their status later on)

Cheers,
       Moritz