oss-sec mailing list archives
Re: CVE Request: Multiple issues fixed in wireshark 1.6.2
From: Josh Bressers <bressers () redhat com>
Date: Wed, 14 Sep 2011 14:49:21 -0400 (EDT)
----- Original Message -----
Are the below worth assigning CVE ids to? The advisory seems to suggest they are crash only fixes. Do those deserve CVE IDs? I know we've been fairly generous with wireshark in the past, but I'm wondering if we need to draw a line somewhere.Crash-only issues are always/typically worth a CVE when it can prevent a product from working in a security context. Wireshark monitors network traffic, sometimes live; therefore, in some reasonable/common usage scenarios, attackers can cause a crash and prevent network activities from being detected. We apply similar logic in forensics and other scenarios. Therefore a CVE is needed for both wnpa-sec-2011-12 (crash reading live packets) as well as wnpa-sec-2011-14 (by only reading a packet trace file) - in the latter, analysis of a packet trace could be hampered/delayed because the investigator can't use the product without it crashing. Wireshark does not get any more "preference" than any other tool, except indirectly because it gets more attention.
I wasn't thinking in the sense of live monitoring. You're right of course, which also means previous crash IDs were needed. Sorry for the confusion. Thanks. -- JB
Current thread:
- CVE Request: Multiple issues fixed in wireshark 1.6.2 Huzaifa Sidhpurwala (Sep 12)
- Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 Josh Bressers (Sep 14)
- Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 Steven M. Christey (Sep 14)
- Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 Josh Bressers (Sep 14)
- Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 Steven M. Christey (Sep 14)
- Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 Steven M. Christey (Sep 14)
- Re: CVE Request: Multiple issues fixed in wireshark 1.6.2 Josh Bressers (Sep 14)