Closed
Bug 1117599
Opened 9 years ago
Closed 9 years ago
CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: glob, Assigned: glob)
References
Details
+++ This bug was initially created as a clone of Bug #1080600 +++ https://cve.mitre.org/cve/identifiers/syntaxchange.html They haven't *yet* reached CVE-2014-10000, but if they don't, they promise to release a five-digit CVE at the beginning of 2015. Interestingly, "There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below." So these CVEs would need to match: CVE-2014-0001 CVE-2014-9999 CVE-2014-10000 CVE-2014-99999 CVE-2014-100000 CVE-2014-999999 CVE-2014-1000000 CVE-2014-9999999 And these would be invalid: CVE-2014-00001 CVE-2014-099999 CVE-2014-0123456 Which sounds more like this than my simplified subject: CVE-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d) (Reed Loden [:reed] from comment #5) This is incorrect.... New CVE-ID Syntax The new CVE-ID syntax is variable length and includes: CVE prefix + Year + Arbitrary Digits So, either CVE-\d{4}-(0\d{3}|[1-9]\d{3,}) or CVE-\d{4}-\d{4,}
:reed, could you provide a test case for a valid CVE id that would be mishandled by the original regex, but handled correctly by your replacement regex(es)?
Flags: needinfo?(reed)
|
||
Comment 2•9 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #1) > :reed, could you provide a test case for a valid CVE id that would be > mishandled by the original regex, but handled correctly by your replacement > regex(es)? CVE-2014-9999999999999 is a valid CVE id that is mishandled by the original regex.
Flags: needinfo?(reed)
The regex from bug 1080600 ended up being: > qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d))\b/ so it seems like simply altering {4,6} to {4,} would be sufficient: > qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,})(?!\d))\b/
Note that, from a practical standpoint, if {4,6} or {4,8} is more efficient than {4,}, I fully support going with a restricted parser that doesn't support more than a 10^6 CVEs in any given year, since we're currently at 10^4.|
|
||
Comment 5•9 years ago
|
||
(In reply to Richard Soderberg [:atoll] from comment #4) > Note that, from a practical standpoint, if {4,6} or {4,8} is more efficient > than {4,}, I fully support going with a restricted parser that doesn't > support more than a 10^6 CVEs in any given year, since we're currently at > 10^4. MITRE has made it clear that any parsing should support an arbitrary length of digits to the point that they may even assign a real issue to a high integer. http://seclists.org/oss-sec/2015/q1/47
thanks reed and atoll :)
- match => qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d))\b/,
+ match => qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,})(?!\d))\b/,
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
7834fbf..50ae5be master -> masterAssignee: nobody → glob
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
Component: Extensions: BMO → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•