Skip to content Skip to footer
0 items - $0.00 0
Menu

The Bogus CVE Problem by signa11

18CommentsShare Post
The Bogus CVE Problem by signa11
Vídeo

The Bogus CVE Problem by signa11

September 22, 2023
18Comments
Share This Article
Share Post
Newsletter

Sed ut perspiciatis unde.

Subscribe

Send to HN

Benefits for LWN subscribers

The primary benefit from subscribing to LWN
is helping to keep us publishing, but, beyond that, subscribers get
immediate access to all site content and access to a number of extra
site features. Please sign up today!

By Jake Edge
September 13, 2023

The “Common Vulnerabilities and
Exposures” (CVE) system was launched late
in the previous century (September 1999) to track vulnerabilities in
software. Over the years since, it has had a somewhat checkered
reputation, along with some some attempts to
replace it, but CVE numbers are still the only effective way to track
vulnerabilities. While that can certainly be useful, the
CVE-assignment (and severity scoring) process is not without its problems.
The prominence of CVE numbers, and the consequent increase in
“reputation” for a reporter, have combined to create a system that can
be—and is—actively gamed. Meanwhile, the organizations that oversee the
system are ultimately not doing a particularly stellar job.

A recent incident highlights some of the problems inherent in the system. CVE-2020-19909,
which is an integer-overflow bug in
the curl tool and library for URL-based data
transfers that was only reported
to the project in 2023. In a blog
post describing the mess, curl maintainer Daniel
Stenberg said that a message to the
curl-library mailing list on August 25 alerted the project that the CVE
had become public the week before.

The year in the CVE number (2020 in this case) is meant to indicate when
the bug was
reported to one of the more than 300 CVE
numbering authorities (CNAs) that hand out CVE numbers. Under normal
circumstances, a new bug showing up with a CVE number would have 2023 in
it, but sometimes CVEs are given out for older bugs that somehow
slipped through the cracks. That appears to be what happened in this case,
as Stenberg was able to track the problem back to a bug report from Jason Lee
in mid-2019.

The report was for a legitimate bug, where the
‑‑retry‑delay option value was being multiplied
by 1000 (to milliseconds) without an overflow check. But what it was
not was a security
bug, Stenberg said; giving insanely large values for the
option might result in incorrect
delays—far shorter than requested—but it is not a security problem to make
multiple requests in a short time span. If it were, “then a browser
makes a DOS [denial of service] every time you visit a website — and curl
does it when you give it two URLs on the same command line“, he said in
a followup
post.

The problem was duly
fixed, a test case was added, and Lee was credited with the report in
the commit message. In September 2019, curl 7.66.0 was released with
fix, which was mentioned in the announce

Read More

0Likes
Show comments (18)

Leave a comment

In the Shadows of Innovation”

© 2025 HackTech.info. All Rights Reserved.

Sign Up to Our Newsletter

Be the first to know the latest updates

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.