Date: Wed, 14 Sep 2011 14:35:54 -0400 (EDT) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: Josh Bressers <bressers@...hat.com> cc: oss-security@...ts.openwall.com, Gerald Combs <gerald@...eshark.org>, cve-assign@...re.org Subject: Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 > Are the below worth assigning CVE ids to? The advisory seems to suggest > they are crash only fixes. Do those deserve CVE IDs? I know we've been > fairly generous with wireshark in the past, but I'm wondering if we need > to draw a line somewhere. Crash-only issues are always/typically worth a CVE when it can prevent a product from working in a security context. Wireshark monitors network traffic, sometimes live; therefore, in some reasonable/common usage scenarios, attackers can cause a crash and prevent network activities from being detected. We apply similar logic in forensics and other scenarios. Therefore a CVE is needed for both wnpa-sec-2011-12 (crash reading live packets) as well as wnpa-sec-2011-14 (by only reading a packet trace file) - in the latter, analysis of a packet trace could be hampered/delayed because the investigator can't use the product without it crashing. Wireshark does not get any more "preference" than any other tool, except indirectly because it gets more attention. - Steve On Wed, 14 Sep 2011, Josh Bressers wrote: > ----- Original Message ----- > >> 2. Wireshark Lua script execution vulnerability >> http://www.wireshark.org/security/wnpa-sec-2011-15.html >> https://bugzilla.redhat.com/show_bug.cgi?id=737784 > > Use CVE-2011-3360 for the above. > > >> >> 1, Wireshark CSN.1 dissector vulnerability >> http://www.wireshark.org/security/wnpa-sec-2011-16.html >> https://bugzilla.redhat.com/show_bug.cgi?id=737783 >> >> 3. Wireshark buffer exception handling vulnerability >> http://www.wireshark.org/security/wnpa-sec-2011-14.html >> https://bugzilla.redhat.com/show_bug.cgi?id=737785 >> >> 4. Wireshark OpenSafety dissector vulnerability >> http://www.wireshark.org/security/wnpa-sec-2011-12.html >> https://bugzilla.redhat.com/show_bug.cgi?id=737787 >> > > Thanks. > > -- > JB >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ