[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2695-1] chromium-browser security update

On Sun, Jun 2, 2013 at 9:32 AM, Nick Boyce wrote:
> On Wednesday 29 May 2013 15:23:54 Michael Gilbert wrote:
>
>> or possibly have unspecified other impact via unknown vectors.
>
> I'm just wondering ... is that Google language for "or possibly allow remote
> code execution" ?
>
> The phrase occurs for many of the vulnerabilities listed in the advisory, and
> most browser release notices cure some bugs that may allow remote code
> execution ... but not one of the vulnerabilities listed in this one refers to
> rce.
>
> I'm wondering whether the phrasing of the descriptions of the CVEs listed in
> this advisory is Google's choice .....

That is the intentionally vague language of CVE (e.g.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2837).

The do that because there are an incredibly large number of issues per
year (getting close to 10,000/year now), and it is unfeasible to have
someone accurately study and write-up every one of them.

In terms of chromium, your best bet is simply to wait for the bugs to
become unembargoed (e.g.
https://code.google.com/p/chromium/issues/detail?id=235638).

Best wishes,
Mike
Reply to: