Request for CVEs for Pidgin

[Mark Doliner]

On Tue, Jan 14, 2014 at 12:53 PM, Tomas Hoger <thoger at redhat.com> wrote:
> Josh and Jan changed their roles inside Red Hat and while they both
> work on security from one side or another, they will no longer be able
> to help with the CVE assignments, or need access to information on
> non-public issues.  I'm keeping them CCed on this reply, but you can
> drop them form the CC on any further replies.

Noted, thanks. Josh is still subscribed to our packagers at pidgin.im
mailing list where we pre-announce security problems and give
distributions time to prepare updated packages. If I understand
correctly, it sounds like he should be removed from this list?

In addition to you and Josh, Huzaifa Sidhpurwala <huzaifas at redhat.com>
is also subscribed.

> I'd like to share this list with a colleague, Kurt Seifried, who
> handles many CVE assignments, to help with deciding on the merge/split
> cases.  You can find him do a lot of assignments on the oss-security
> list.  Please let me know if it's ok to send him your list.

Sure, that sounds totally reasonable.

> Merging is actually based on CVE content decision guidelines, you can
> find more details in:
>   http://cve.mitre.org/cve/editorial_policies/cd_overview.html

Thanks for the link.

> The reason to
> split may be different versions in which those were introduced.  Not
> sure if that is know, or if all of them affect any still used versions.

For ISSUE-13, ISSUE-14 and ISSUE-15, they do all affect the current
version of Pidgin (2.10.7). It's very likely that they were introduced
at different times, as they're all in different pieces of code and in
different protocol plugins. So it sounds to me like they should each
receive their own CVE identifier.

> I also see there may be some reason to merge 6-8, as they all are NULL
> dereference issues, but I assume those are triggered in completely
> different ways.

Yes, I believe 6-8 are triggered in completely different ways.

Thanks,
Mark