[VIM] "does not do X" versus "does not properly do X"
Steven M. Christey
coley at mitre.org
Mon Feb 13 01:47:27 EST 2006
As developers have attempted to perform input validation, the number
of errors in input validation is increasing. The incomplete blacklist
problem I wrote about a couple weeks ago was one example.
I think it's useful/important to make distinctions between when
someone *tries* to implement a protection scheme, versus when there
*is no* protection scheme. CVE description style has evolved slightly
because of that.
If a product tries to do X, but fails, then we say it "does not
properly" do X.
If a product does not even TRY do do X, then we say it "does not" do
The vendor says "We must check for MAY_SATTR before setting acls,
which includes checking for read-only exports: the lower-level
setxattr operation that eventually sets the acl cannot check
It doesn't say that they check for "MAY_SATTR" in some weird broken
way; they simply don't do it. And you can confirm this by looking at
Therefore the CVE desc for this would say something like "Product does
not check for MAY_SATTR..."
Now look at this issue:
The issue is related to a count value for the number of pings to send.
The researcher says:
"the scripts only allows you to send 10 or 4 pings... Maximum for
count is: 10"
But then the researcher says: "You can bypass the ping count
restriction by just making the count value negative."
So here, the product TRIES to check the number of pings, but it screws
up a little bit.
So, the CVE desc is "product DOES NOT PROPERLY verify the number of
More information about the VIM