[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: Multiple issues fixed in wireshark
From:       Josh Bressers <bressers () redhat ! com>
Date:       2011-09-14 18:49:21
Message-ID: 651729557.1262135.1316026161955.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

----- Original Message -----
> > Are the below worth assigning CVE ids to? The advisory seems to suggest
> > they are crash only fixes. Do those deserve CVE IDs? I know we've been
> > fairly generous with wireshark in the past, but I'm wondering if we
> > need to draw a line somewhere.
> 
> Crash-only issues are always/typically worth a CVE when it can prevent a
> product from working in a security context. Wireshark monitors network
> traffic, sometimes live; therefore, in some reasonable/common usage
> scenarios, attackers can cause a crash and prevent network activities
> from being detected.
> 
> We apply similar logic in forensics and other scenarios. Therefore a CVE
> is needed for both wnpa-sec-2011-12 (crash reading live packets) as well
> as wnpa-sec-2011-14 (by only reading a packet trace file) - in the
> latter, analysis of a packet trace could be hampered/delayed because the
> investigator can't use the product without it crashing.
> 
> Wireshark does not get any more "preference" than any other tool, except
> indirectly because it gets more attention.
> 

I wasn't thinking in the sense of live monitoring. You're right of course,
which also means previous crash IDs were needed.

Sorry for the confusion.

Thanks.

-- 
    JB
[prev in list] [next in list] [prev in thread] [next in thread]