oss-sec mailing list archives
Re: CVE Request: Critical vuln in Firefox 3.0
From: "Steven M. Christey" <coley () linus mitre org>
Date: Thu, 19 Jun 2008 16:07:30 -0400 (EDT)
On Thu, 19 Jun 2008, Nico Golde wrote:
Let's wait until they publish their advisory, having a CVE id without any useful description now doesn't help anyone.
At this stage, I believe that a CVE identifier is important. Here, it serves two roles: 1) being absolutely sure we know which Firefox 3.0 issue is being discussed - which can be done if a CVE description is anchored on a particular reference or source. 2) Tracking, then eventually resolving, confusion between multiple disclosures. Granted we don't always succeed at this, but it's a goal. So, I've assigned CVE-2008-2785 for the unspecified issue being claimed by Tipping Point. But, I've also assigned a separate CVE-2008-2786 for a Full-Disclosure post talking about a buffer overflow. Typically I try to avoid creating CVEs for these - anyone could claim "I found BUG-TYPE X in product Z" and there's no way of proving things - but here, there's likely some confusion about whether the FD post is the same as ZDI's or not. And ZDI is specifically not saying anything about that. - Steve ====================================================== Name: CVE-2008-2785 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 Reference: MISC:http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30 Reference: BID:29802 Reference: URL:http://www.securityfocus.com/bid/29802 Reference: FRSIRT:ADV-2008-1873 Reference: URL:http://www.frsirt.com/english/advisories/2008/1873 Reference: SECUNIA:30761 Reference: URL:http://secunia.com/advisories/30761 Reference: XF:firefox-unspecified-code-execution(43167) Reference: URL:http://xforce.iss.net/xforce/xfdb/43167 Unspecified vulnerability in Firefox 3.0 and 2.0.x has unknown impact and remote attack vectors, aka ZDI-CAN-349. ====================================================== Name: CVE-2008-2786 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2786 Reference: FULLDISC:20080618 Coming soon : Firefox 3 Release overflow Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062832.html Reference: BID:29794 Reference: URL:http://www.securityfocus.com/bid/29794 Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack vectors. NOTE: due to lack of details as of 20080619, it is not clear whether this is the same issue as CVE-2008-2785. A CVE identifier has been assigned for tracking purposes.
Current thread:
- CVE Request: Critical vuln in Firefox 3.0 Hanno Böck (Jun 19)
- Re: CVE Request: Critical vuln in Firefox 3.0 Nico Golde (Jun 19)
- Re: CVE Request: Critical vuln in Firefox 3.0 Steven M. Christey (Jun 19)
- Re: CVE Request: Critical vuln in Firefox 3.0 Nico Golde (Jun 19)