oss-sec mailing list archives

Cve issue discussion

From: ne xo <nexo123 () outlook kr>
Date: Mon, 7 Aug 2017 01:03:53 +0000

Hello,


I am curious about issuing CVEs.

I can see that a "NULL pointer dereference" or a bug where the exploit has not been verified also get a CVE.


heap-overflows may or may not be exploitable.


It takes a lot of time to analyze the exploit and create the exploit code.


Is it right to be assigned a CVE only if it is exploitable?


Or do you think all bugs need to get a CVE?


Thanks.

---

ref

---

[1]http://www.openwall.com/lists/oss-security/2017/04/10/17 - NULL pointer dereference
[2]http://www.openwall.com/lists/oss-security/2017/04/10/15 - memory allocation failure

Current thread:

Cve issue discussion ne xo (Aug 06)
- Re: Cve issue discussion Agostino Sarubbo (Aug 07)
  - RE: Cve issue discussion ne xo (Aug 07)
    - Re: Cve issue discussion Glenn Randers-Pehrson (Aug 07)
    - Re: Cve issue discussion Marcus Meissner (Aug 07)
    - Re: Cve issue discussion Glenn Randers-Pehrson (Aug 07)
    - Re: Cve issue discussion Bob Friesenhahn (Aug 07)
    - Re: Cve issue discussion John Haxby (Aug 07)
    - Re: Cve issue discussion Glenn Randers-Pehrson (Aug 07)
    - Re: Cve issue discussion Jesse Hertz (Aug 07)
    - Re: Cve issue discussion Glenn Randers-Pehrson (Aug 07)

(Thread continues...)