Closed Bug 1117599 Opened 8 years ago Closed 8 years ago

CVE ID format change: CVE-\d{4}-\d{4} becomes CVE-\d{4}-\d{4,} this year

Categories

(bugzilla.mozilla.org :: Extensions, defect)

Production
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: glob, Assigned: glob)

References

Details

+++ This bug was initially created as a clone of Bug #1080600 +++

https://cve.mitre.org/cve/identifiers/syntaxchange.html

They haven't *yet* reached CVE-2014-10000, but if they don't, they promise to release a five-digit CVE at the beginning of 2015.

Interestingly,

"There is no limit on the number of arbitrary digits. Leading 0’s will only be used in IDs 1 to 999, as shown in column one below."

So these CVEs would need to match:

CVE-2014-0001 CVE-2014-9999
CVE-2014-10000 CVE-2014-99999
CVE-2014-100000 CVE-2014-999999
CVE-2014-1000000 CVE-2014-9999999

And these would be invalid:

CVE-2014-00001
CVE-2014-099999
CVE-2014-0123456

Which sounds more like this than my simplified subject:

CVE-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d)

(Reed Loden [:reed] from comment #5)

This is incorrect....

New CVE-ID Syntax

The new CVE-ID syntax is variable length and includes:

CVE prefix + Year + Arbitrary Digits


So, either CVE-\d{4}-(0\d{3}|[1-9]\d{3,}) or CVE-\d{4}-\d{4,}
:reed, could you provide a test case for a valid CVE id that would be mishandled by the original regex, but handled correctly by your replacement regex(es)?
Flags: needinfo?(reed)
(In reply to Richard Soderberg [:atoll] from comment #1)
> :reed, could you provide a test case for a valid CVE id that would be
> mishandled by the original regex, but handled correctly by your replacement
> regex(es)?

CVE-2014-9999999999999 is a valid CVE id that is mishandled by the original regex.
Flags: needinfo?(reed)
The regex from bug 1080600 ended up being:

> qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d))\b/

so it seems like simply altering {4,6} to {4,} would be sufficient:

> qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,})(?!\d))\b/
Note that, from a practical standpoint, if {4,6} or {4,8} is more efficient than {4,}, I fully support going with a restricted parser that doesn't support more than a 10^6 CVEs in any given year, since we're currently at 10^4.
(In reply to Richard Soderberg [:atoll] from comment #4)
> Note that, from a practical standpoint, if {4,6} or {4,8} is more efficient
> than {4,}, I fully support going with a restricted parser that doesn't
> support more than a 10^6 CVEs in any given year, since we're currently at
> 10^4.

MITRE has made it clear that any parsing should support an arbitrary length of digits to the point that they may even assign a real issue to a high integer.

http://seclists.org/oss-sec/2015/q1/47
thanks reed and atoll :)

-   match => qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,6})(?!\d))\b/,
+   match => qr/(?<!\/|=)\b((?:CVE|CAN)-\d{4}-(?:\d{4}|[1-9]\d{4,})(?!\d))\b/,

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   7834fbf..50ae5be  master -> master
Assignee: nobody → glob
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Component: Extensions: BMO → Extensions
You need to log in before you can comment on or make changes to this bug.