(LinuxWorld) -- The object of the game of "Chinese Whispers" is to see how a phrase changes as it passes to several speakers. Players sit in a circle, and the first player thinks of a phrase and whispers it into the ear of the next player. The second player whispers it to the third, and so on, until it gets back to the to the first player who announces both starting and ending phrases. The two versions are usually wildly different.

Are application developers, Linux vendors, and the media playing this game when they report vulnerabilities in open source software? I think so -- what compelled me to write this is when I reviewed how a recent security vulnerability got reported.

It is essential that security vulnerabilities get reported accurately so that affected users can make informed decisions, and so we don't get caught up in spreading unnecessary fear, uncertainty, and doubt. Since joining the security team at Red Hat, I've found many examples across the industry in which vulnerabilities were reported inaccurately. All vendors have made mistakes at some time, and no vendor seems to be any better or worse than the other. Fortunately, these mistakes do not appear to be malicious -- just the result of a game of Chinese Whispers.

A vulnerability was found in the mutt e-mail client in December 2001, and Linux vendors quickly released new versions of their mutt packages to fix the problem. However, in looking at the confusing advisory details, you would have thought each vendor had actually fixed a completely different vulnerability.

The mutt team

Below is the announcement from the mutt team, containing very few details and stating simply: "These releases ... fix a security hole which can be remotely exploited." http://marc.theaimsgroup.com/?l=bugtraq&m=100994648918287

A few vendors took the details from the mutt announcement and made their own advisories. Here are the statements from SuSE, Trustix, and Mandrake:

SuSE

SuSE reported, "mutt ... is vulnerable to a buffer overflow that is remotely exploitable." http://marc.theaimsgroup.com/?l=bugtraq&m=101043931028991

Trustix

Trustix reported, "mutt ... has a buffer overflow which can be remotely exploited." http://marc.theaimsgroup.com/?l=bugtraq&m=101044050032264

Mandrake

Mandrake reported "a remotely exploitable buffer overflow in the mutt email client." http://marc.theaimsgroup.com/?l=bugtraq&m=101060534006193

However, for more details, one needs to look a little further than the original announcement. On a mailing list, mutt developer Michael Elkins wrote "In this particular case it would be difficult to exploit because the attacker only has the option of writing one NUL (0x00) byte and can't chose to write arbitrary instructions onto the stack. In my opinion, at worst it really would only be a DOS attack." (See http://marc.theaimsgroup.com/?l=mutt-users&m=101018365029463)

Debian

Debian obviously read this, as their release reported "...a buffer overflow in the address handling code of mutt ... Even though this is a one byte overflow, this is exploitable." http://marc.theaimsgroup.com/?l=bugtraq&m=100999679516522

Red Hat

Red Hat also read this, but is more cautious, saying "An overflow exists in mutt's RFC822 address parser. A remote attacker could send a carefully crafted email message which when read by mutt would be able to overwrite arbitrary bytes in memory." http://marc.theaimsgroup.com/?l=bugtraq&m=101044878020469

However, there are a few more worrying reports of the mutt vulnerability.

Conectiva

Conectiva reports "a buffer overflow vulnerability in the mutt program that could be exploited by a remote attacker. By sending a crafted email message to some user, the attacker can exploit this vulnerability and execute arbitrary commands on the user's machine. These commands would be executed with the privileges of the user running the e-mail client." http://marc.theaimsgroup.com/?l=bugtraq&m=101043965229985

Security Focus

Security Focus reports something pretty similar: "A buffer overflow error exists in the e-mail address handling routines of Mutt. Exploitation of this vulnerability can result in arbitrary code execution. Although Mutt would normally run as a non-privileged user, exploitation of this vulnerability may result in local access for an attacker." http://www.securityfocus.com/bid/3774

Mitre CVE

The Mitre CVE dictionary lists a "Vulnerability in RFC822 address parser in mutt .... allows remote attackers to execute arbitrary commands via an improperly terminated comment or phrase in the address list." http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0001

Vnunet.com

Then, the media gets hold of the inaccurate information. Vnunet.com links to the mutt advisory, but then incorrectly attributes it by quoting directly from the Connectiva report. http://www.vnunet.com/News/1128057

Linux Weekly News

Even Linux Weekly News, a respected source of Linux information uses the following statement as an example: "The recent Microsoft XP vulnerability, the one that exposes almost every system connected to the net, was caused by a buffer overflow. It is easy to sneer at Microsoft for allowing such a vulnerability into their code, but one should look at this week's LWN security page before sneering too hard. Linux distributors have done a good job at rushing out fixes for the remotely exploitable vulnerability in the widely-used mutt mailer. That vulnerability is, of course, a buffer overflow problem." http://www.lwn.net/

(Editor's note: LinuxWorld did not cover this story.)

Has this inconsistent reporting caused any harm? Probably not. If anything, it will cause more users to upgrade. I've highlighted the mutt vulnerability as one example where the game of Chinese Whispers has been played, but it is no means the only example. In one case, the press equated an Apache vulnerability to an IIS vulnerability. The Apache vulnerability lets one view a listing of a directory under your Web document root with a carefully crafted request. The IIS vulnerability gave a remote attacker complete control over your machine.

It doesn't appear that this game is being played on purpose. Indeed it looks mostly like a lack of the media being entirely informed. I too have a confession to make: I didn't check the mutt vulnerability either to see if the post was accurate. I could have downloaded the code and checked the differences, but I didn't. Judging by the advisories I've listed in this article, I don't think many of the Linux vendors did either.

If we want vulnerabilities to have a common description, then the Mitre CVE project seems the way to go. The group is building up a peer-reviewed database of vulnerability descriptions. If all vendors started attaching CVE tags to their advisories, then it would be easy for users to work out which issues were being fixed even if the descriptions in each advisory were widely different. Since November I've been working with Mitre to get these descriptions into the Red Hat advisories.

I wrote this piece to highlight the need for better vulnerability reports from software authors, distribution vendors and the press. Users need to have accurate information about security vulnerabilities in order for them to be able to make informed decisions.