[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Critical vuln in Firefox 3.0
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2008-06-19 20:07:30
Message-ID: Pine.GSO.4.51.0806191602500.14175 () faron ! mitre ! org
[Download RAW message or body]


On Thu, 19 Jun 2008, Nico Golde wrote:

> Let's wait until they publish their advisory, having a CVE
> id without any useful description now doesn't help anyone.

At this stage, I believe that a CVE identifier is important.  Here, it
serves two roles:

1) being absolutely sure we know which Firefox 3.0 issue is being
discussed - which can be done if a CVE description is anchored on a
particular reference or source.

2) Tracking, then eventually resolving, confusion between multiple
disclosures.  Granted we don't always succeed at this, but it's a goal.

So, I've assigned CVE-2008-2785 for the unspecified issue being claimed by
Tipping Point.

But, I've also assigned a separate CVE-2008-2786 for a Full-Disclosure
post talking about a buffer overflow.  Typically I try to avoid creating
CVEs for these - anyone could claim "I found BUG-TYPE X in product Z" and
there's no way of proving things - but here, there's likely some confusion
about whether the FD post is the same as ZDI's or not.  And ZDI is
specifically not saying anything about that.

- Steve


======================================================
Name: CVE-2008-2785
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785
Reference: MISC:http://dvlabs.tippingpoint.com/blog/2008/06/18/vulnerability-in-mozilla-firefox-30
Reference: BID:29802
Reference: URL:http://www.securityfocus.com/bid/29802
Reference: FRSIRT:ADV-2008-1873
Reference: URL:http://www.frsirt.com/english/advisories/2008/1873
Reference: SECUNIA:30761
Reference: URL:http://secunia.com/advisories/30761
Reference: XF:firefox-unspecified-code-execution(43167)
Reference: URL:http://xforce.iss.net/xforce/xfdb/43167

Unspecified vulnerability in Firefox 3.0 and 2.0.x has unknown impact
and remote attack vectors, aka ZDI-CAN-349.


======================================================
Name: CVE-2008-2786
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2786
Reference: FULLDISC:20080618 Coming soon : Firefox 3 Release overflow
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2008-June/062832.html
Reference: BID:29794
Reference: URL:http://www.securityfocus.com/bid/29794

Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack
vectors.  NOTE: due to lack of details as of 20080619, it is not clear
whether this is the same issue as CVE-2008-2785.  A CVE identifier has
been assigned for tracking purposes.


[prev in list] [next in list] [prev in thread] [next in thread]