Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Sep 2011 14:35:54 -0400 (EDT)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: Josh Bressers <bressers@...hat.com>
cc: oss-security@...ts.openwall.com, Gerald Combs <gerald@...eshark.org>,
        cve-assign@...re.org
Subject: Re: CVE Request: Multiple issues fixed in wireshark
 1.6.2


> Are the below worth assigning CVE ids to? The advisory seems to suggest 
> they are crash only fixes. Do those deserve CVE IDs? I know we've been 
> fairly generous with wireshark in the past, but I'm wondering if we need 
> to draw a line somewhere.

Crash-only issues are always/typically worth a CVE when it can prevent a 
product from working in a security context.  Wireshark monitors network 
traffic, sometimes live; therefore, in some reasonable/common usage 
scenarios, attackers can cause a crash and prevent network activities from 
being detected.

We apply similar logic in forensics and other scenarios.  Therefore a CVE 
is needed for both wnpa-sec-2011-12 (crash reading live packets) as well 
as wnpa-sec-2011-14 (by only reading a packet trace file) - in the latter, 
analysis of a packet trace could be hampered/delayed because the 
investigator can't use the product without it crashing.

Wireshark does not get any more "preference" than any other tool, except 
indirectly because it gets more attention.

- Steve



On Wed, 14 Sep 2011, Josh Bressers wrote:

> ----- Original Message -----
>
>> 2. Wireshark Lua script execution vulnerability
>> http://www.wireshark.org/security/wnpa-sec-2011-15.html
>> https://bugzilla.redhat.com/show_bug.cgi?id=737784
>
> Use CVE-2011-3360 for the above.
>
>
>>
>> 1, Wireshark CSN.1 dissector vulnerability
>> http://www.wireshark.org/security/wnpa-sec-2011-16.html
>> https://bugzilla.redhat.com/show_bug.cgi?id=737783
>>
>> 3. Wireshark buffer exception handling vulnerability
>> http://www.wireshark.org/security/wnpa-sec-2011-14.html
>> https://bugzilla.redhat.com/show_bug.cgi?id=737785
>>
>> 4. Wireshark OpenSafety dissector vulnerability
>> http://www.wireshark.org/security/wnpa-sec-2011-12.html
>> https://bugzilla.redhat.com/show_bug.cgi?id=737787
>>
>
> Thanks.
>
> --
>    JB
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ