Are the below worth assigning CVE ids to? The advisory seems to suggest
they are crash only fixes. Do those deserve CVE IDs? I know we've been
fairly generous with wireshark in the past, but I'm wondering if we
need to draw a line somewhere.
Crash-only issues are always/typically worth a CVE when it can prevent a
product from working in a security context. Wireshark monitors network
traffic, sometimes live; therefore, in some reasonable/common usage
scenarios, attackers can cause a crash and prevent network activities
from being detected.
We apply similar logic in forensics and other scenarios. Therefore a CVE
is needed for both wnpa-sec-2011-12 (crash reading live packets) as well
as wnpa-sec-2011-14 (by only reading a packet trace file) - in the
latter, analysis of a packet trace could be hampered/delayed because the
investigator can't use the product without it crashing.
Wireshark does not get any more "preference" than any other tool, except
indirectly because it gets more attention.