Re: CVE Request: Multiple issues fixed in wireshark 1.6.2

["Steven M. Christey" <coley () rcf-smtp mitre org>]

> Are the below worth assigning CVE ids to? The advisory seems to suggest 
> they are crash only fixes. Do those deserve CVE IDs? I know we've been 
> fairly generous with wireshark in the past, but I'm wondering if we need 
> to draw a line somewhere.

Crash-only issues are always/typically worth a CVE when it can prevent a 
product from working in a security context.  Wireshark monitors network 
traffic, sometimes live; therefore, in some reasonable/common usage 
scenarios, attackers can cause a crash and prevent network activities from 
being detected.

We apply similar logic in forensics and other scenarios.  Therefore a CVE 
is needed for both wnpa-sec-2011-12 (crash reading live packets) as well 
as wnpa-sec-2011-14 (by only reading a packet trace file) - in the latter, 
analysis of a packet trace could be hampered/delayed because the 
investigator can't use the product without it crashing.

Wireshark does not get any more "preference" than any other tool, except 
indirectly because it gets more attention.

- Steve



On Wed, 14 Sep 2011, Josh Bressers wrote:

> ----- Original Message -----
>
> > 2. Wireshark Lua script execution vulnerability
> > http://www.wireshark.org/security/wnpa-sec-2011-15.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=737784
>
> Use CVE-2011-3360 for the above.
>
>
> > 1, Wireshark CSN.1 dissector vulnerability
> > http://www.wireshark.org/security/wnpa-sec-2011-16.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=737783
> >
> > 3. Wireshark buffer exception handling vulnerability
> > http://www.wireshark.org/security/wnpa-sec-2011-14.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=737785
> >
> > 4. Wireshark OpenSafety dissector vulnerability
> > http://www.wireshark.org/security/wnpa-sec-2011-12.html
> > https://bugzilla.redhat.com/show_bug.cgi?id=737787
>
> Thanks.
>
> --
>    JB