lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 13 Oct 2006 20:41:04 -0400
From: Josh Bressers <bressers@...hat.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [vendor-sec] Fwd: probably integer overflow
	in konqueror 3.5-latest and earlier

> On Fri, Oct 13, 2006 at 01:11:24PM -0400, Josh Bressers wrote:
> > 
> > Use CVE-<F*CK> for this issue.
> >
> 
> the redhat persons means for THIS:
> (the png is well formed, but the redhat person wasn't elligible to know it.)
> 

Georgie's logic behind this behavior baffles me, but he's free to act in any
way he sees fit.  I gave this issue CVE-2006-4811.  Typically, when someone
reports a security issue to a group such as vendor-sec, it is quickly given
a CVE id before analysis is complete so there is no confusion.  It's not
uncommon for multiple different issues to be found once someone start
staring at a piece of code.  This apparently pissed Georgie off.  Anyhow,
below is my reply.

--------------------- snip -------------------------

> On Fri, Oct 13, 2006 at 01:11:24PM -0400, Josh Bressers wrote:
> > 
> > Use CVE-2006-4811 for this issue.
> > 
> 
> this is not very smart behavior.

I'd rather not have this conversation with you again Georgie.  Your
personal dislike of Steve Christey is no reason to disprove of the current
industry standard for assigning a unique identifier for security issues.  I
suspect you are intelligent enough to understand the advantage to having a
way to easily identify the various security issues in existence.

All this id means is that this particular issue can be described as
CVE-2006-4811, or an integer overflow found by Georgie Guninski.  I
personally prefer for former as you've found more than one integer
overflow and there is no other easy way to keep them all straight.

If you don't want to mention a CVE id in your advisory, you don't have to.
Its sole purpose is to ensure we don't confuse this issue with another
similar one.

-- 
    JB

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ