oss-security September 2011 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] CVE Request: Multiple issues fi

Re: [oss-security] CVE Request: Multiple issues fixed in wireshark 1.6.2

From: Josh Bressers <bressers_at_nospam>
Date: Wed Sep 14 2011 - 18:49:21 GMT
To: oss-security@lists.openwall.com

----- Original Message -----
> > Are the below worth assigning CVE ids to? The advisory seems to suggest
> > they are crash only fixes. Do those deserve CVE IDs? I know we've been
> > fairly generous with wireshark in the past, but I'm wondering if we
> > need to draw a line somewhere.
>
> Crash-only issues are always/typically worth a CVE when it can prevent a
> product from working in a security context. Wireshark monitors network
> traffic, sometimes live; therefore, in some reasonable/common usage
> scenarios, attackers can cause a crash and prevent network activities
> from being detected.
>
> We apply similar logic in forensics and other scenarios. Therefore a CVE
> is needed for both wnpa-sec-2011-12 (crash reading live packets) as well
> as wnpa-sec-2011-14 (by only reading a packet trace file) - in the
> latter, analysis of a packet trace could be hampered/delayed because the
> investigator can't use the product without it crashing.
>
> Wireshark does not get any more "preference" than any other tool, except
> indirectly because it gets more attention.
>

I wasn't thinking in the sense of live monitoring. You're right of course,
which also means previous crash IDs were needed.

Sorry for the confusion.

Thanks.

-- JB