mailing list archives
Re: CVE Request: Multiple issues fixed in wireshark 1.6.2
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Wed, 14 Sep 2011 14:35:54 -0400 (EDT)
Are the below worth assigning CVE ids to? The advisory seems to suggest
they are crash only fixes. Do those deserve CVE IDs? I know we've been
fairly generous with wireshark in the past, but I'm wondering if we need
to draw a line somewhere.
Crash-only issues are always/typically worth a CVE when it can prevent a
product from working in a security context. Wireshark monitors network
traffic, sometimes live; therefore, in some reasonable/common usage
scenarios, attackers can cause a crash and prevent network activities from
We apply similar logic in forensics and other scenarios. Therefore a CVE
is needed for both wnpa-sec-2011-12 (crash reading live packets) as well
as wnpa-sec-2011-14 (by only reading a packet trace file) - in the latter,
analysis of a packet trace could be hampered/delayed because the
investigator can't use the product without it crashing.
Wireshark does not get any more "preference" than any other tool, except
indirectly because it gets more attention.
On Wed, 14 Sep 2011, Josh Bressers wrote:
----- Original Message -----
2. Wireshark Lua script execution vulnerability
Use CVE-2011-3360 for the above.
1, Wireshark CSN.1 dissector vulnerability
3. Wireshark buffer exception handling vulnerability
4. Wireshark OpenSafety dissector vulnerability