Full Disclosure mailing list archives
Re: [vendor-sec] Fwd: probably integer overflow in konqueror 3.5-latest and earlier
From: Josh Bressers <bressers () redhat com>
Date: Fri, 13 Oct 2006 20:41:04 -0400
On Fri, Oct 13, 2006 at 01:11:24PM -0400, Josh Bressers wrote:Use CVE-<F*CK> for this issue.the redhat persons means for THIS: (the png is well formed, but the redhat person wasn't elligible to know it.)
Georgie's logic behind this behavior baffles me, but he's free to act in any way he sees fit. I gave this issue CVE-2006-4811. Typically, when someone reports a security issue to a group such as vendor-sec, it is quickly given a CVE id before analysis is complete so there is no confusion. It's not uncommon for multiple different issues to be found once someone start staring at a piece of code. This apparently pissed Georgie off. Anyhow, below is my reply. --------------------- snip -------------------------
On Fri, Oct 13, 2006 at 01:11:24PM -0400, Josh Bressers wrote:Use CVE-2006-4811 for this issue.this is not very smart behavior.
I'd rather not have this conversation with you again Georgie. Your personal dislike of Steve Christey is no reason to disprove of the current industry standard for assigning a unique identifier for security issues. I suspect you are intelligent enough to understand the advantage to having a way to easily identify the various security issues in existence. All this id means is that this particular issue can be described as CVE-2006-4811, or an integer overflow found by Georgie Guninski. I personally prefer for former as you've found more than one integer overflow and there is no other easy way to keep them all straight. If you don't want to mention a CVE id in your advisory, you don't have to. Its sole purpose is to ensure we don't confuse this issue with another similar one. -- JB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [vendor-sec] Fwd: probably integer overflow in konqueror 3.5-latest and earlier Georgi Guninski (Oct 13)
- Re: [vendor-sec] Fwd: probably integer overflow in konqueror 3.5-latest and earlier Pink Hat (Oct 13)
- Re: [vendor-sec] Fwd: probably integer overflow in konqueror 3.5-latest and earlier Josh Bressers (Oct 13)
- Re: [vendor-sec] Fwd: probably integer overflow in konqueror 3.5-latest and earlier Georgi Guninski (Oct 14)