Re: CVE Request: Multiple issues fixed in wireshark 1.6.2

[Josh Bressers <bressers () redhat com>]

----- Original Message -----
> > Are the below worth assigning CVE ids to? The advisory seems to suggest
> > they are crash only fixes. Do those deserve CVE IDs? I know we've been
> > fairly generous with wireshark in the past, but I'm wondering if we
> > need to draw a line somewhere.
>
> Crash-only issues are always/typically worth a CVE when it can prevent a
> product from working in a security context. Wireshark monitors network
> traffic, sometimes live; therefore, in some reasonable/common usage
> scenarios, attackers can cause a crash and prevent network activities
> from being detected.
>
> We apply similar logic in forensics and other scenarios. Therefore a CVE
> is needed for both wnpa-sec-2011-12 (crash reading live packets) as well
> as wnpa-sec-2011-14 (by only reading a packet trace file) - in the
> latter, analysis of a packet trace could be hampered/delayed because the
> investigator can't use the product without it crashing.
>
> Wireshark does not get any more "preference" than any other tool, except
> indirectly because it gets more attention.

I wasn't thinking in the sense of live monitoring. You're right of course,
which also means previous crash IDs were needed.

Sorry for the confusion.

Thanks.

-- 
    JB