Re: [vendor-sec] Fwd: probably integer overflow in konqueror 3.5-latest and earlier

[Josh Bressers <bressers () redhat com>]

> On Fri, Oct 13, 2006 at 01:11:24PM -0400, Josh Bressers wrote:
> > Use CVE-<F*CK> for this issue.
>
> the redhat persons means for THIS:
> (the png is well formed, but the redhat person wasn't elligible to know it.)

Georgie's logic behind this behavior baffles me, but he's free to act in any
way he sees fit.  I gave this issue CVE-2006-4811.  Typically, when someone
reports a security issue to a group such as vendor-sec, it is quickly given
a CVE id before analysis is complete so there is no confusion.  It's not
uncommon for multiple different issues to be found once someone start
staring at a piece of code.  This apparently pissed Georgie off.  Anyhow,
below is my reply.

--------------------- snip -------------------------

> On Fri, Oct 13, 2006 at 01:11:24PM -0400, Josh Bressers wrote:
> > Use CVE-2006-4811 for this issue.
>
> this is not very smart behavior.

I'd rather not have this conversation with you again Georgie.  Your
personal dislike of Steve Christey is no reason to disprove of the current
industry standard for assigning a unique identifier for security issues.  I
suspect you are intelligent enough to understand the advantage to having a
way to easily identify the various security issues in existence.

All this id means is that this particular issue can be described as
CVE-2006-4811, or an integer overflow found by Georgie Guninski.  I
personally prefer for former as you've found more than one integer
overflow and there is no other easy way to keep them all straight.

If you don't want to mention a CVE id in your advisory, you don't have to.
Its sole purpose is to ensure we don't confuse this issue with another
similar one.

-- 
    JB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/