| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LNX.2.00.1307031330000.29884@forced.attrition.org> Date: Wed, 3 Jul 2013 13:33:53 -0500 (CDT) From: security curmudgeon <jericho@...rition.org> To: akshay.vaghela@...eroam.com cc: bugtraq@...urityfocus.com Subject: re: Real player resource exhaustion Vulnerability : Real player resource exhaustion Vulnerability : Real Networks Real Player is prone to Resource exhaustion vulnerability. : When processing specially crafted HTML file, Real Player uses a value : from the file to control a loop operation. Real player fails to validate : the value before using it, which leads to DoS / Crash. : 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:U/RC:C) You should probably re-read the CVSSv2 guide. A context-dependent DoS does not warrant C:C or I:C. AV:N/AC:M/Au:N/C:N/I:N/A:C <- at most, if you score based on the idea of an "IT asset" being software. The CVSSv2 specs are a bit inconsistent in wording, so some people use this as a guideline. AV:N/AC:M/Au:N/C:N/I:N/A:P <- if you score based on the strict intention of the CVSSv2 spec, where you score based on *system* impact. : 2013-00-00: Vendor Fix/Patch : 2013-06-04: Public Disclosure When was the fix released? Where was this disclosed on 2013-06-04, since you posted this to Bugtraq on 2013-07-02??
Powered by blists - more mailing lists