Re: CVE Request [two ids] -- cabextract -- 1, Infinite loop in MS-ZIP and Quantum decoders (minor) 2, Integer wrap-around (crash) by processing certain *.cab files in test archive mode

[Josh Bressers <bressers () redhat com>]

----- "Dan Rosenberg" <dan.j.rosenberg () gmail com> wrote:

> This seems to be a bit of a slippery slope.  While I have no problem
> with these particular issues being assigned CVEs, since they were
> treated as security issues, fixed, and caused unintended application
> behavior, I have to wonder if maybe it's a bad idea to give CVEs for
> crashes of this variety.  Denial-of-service issues are tricky.  In my
> opinion, the following types of DoS bugs are security relevant:

I agree with you on this. I gave it an ID, as I'm going to presume that the
cabextract application is likely used in things like virus and mail
scanners, where we don't want a crashing application.

One of the unfortunate aspects of assigning a large number of CVE ids, is
sometimes I have to assume things, as I lack the time to properly
understand what's going on for everything. I figure it's easier to dispute
an ID than end up in the situation where a scary exploit vector is found
later. You are welcome to, and should, dispute this if you think I'm
mistaken.

I would have likely turned down such a request for say an image viewer.

Thanks for the followup though, it's nice to know someone is watching us
watchers ;)

-- 
    JB