[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Current standards/criteria for 'Undefined Behavior'
- To: jericho <jericho@attrition.org>
- Subject: RE: Current standards/criteria for 'Undefined Behavior'
- From: "Evans, Jonathan L." <jevans@mitre.org>
- Date: Wed, 3 May 2017 15:03:57 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Wed May 3 12:37:37 2017
- In-reply-to: <alpine.LNX.2.00.1705021224040.32256@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1705021224040.32256@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHSw2o6IiBog00vL0+oY5ZSUnuZFKHitazw
- Thread-topic: Current standards/criteria for 'Undefined Behavior'
Brian, We are not entirely sure what you mean by "undefined behavior." Are you talking about the CVE entries that specifically say "undefined behavior," such as CVE-2017-8326 and CVE-2017-7961? Thanks, Jonathan -----Original Message----- From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho Sent: Tuesday, May 02, 2017 1:26 PM To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org> Subject: Current standards/criteria for 'Undefined Behavior' Importance: High MITRE, Can you outline the current standards, criteria, or guidelines you use for assigning an ID to an issue that is simply 'undefined behavior' with no indication of exploitability or crossing privilege boundaries? We're seeing these a bit more frequently lately and they often appear to get an ID without any examination by the researcher or MITRE. In many cases, subsequent analysis determines these are non-issues and are not exploitable. Thanks, Brian
- Follow-Ups:
- RE: Current standards/criteria for 'Undefined Behavior'
- From: jericho <jericho@attrition.org>
- RE: Current standards/criteria for 'Undefined Behavior'
- References:
- Current standards/criteria for 'Undefined Behavior'
- From: jericho <jericho@attrition.org>
- Current standards/criteria for 'Undefined Behavior'
- Prev by Date: Agenda for CVE Board Meeting May 3
- Next by Date: Current and future CVE states
- Previous by thread: Current standards/criteria for 'Undefined Behavior'
- Next by thread: RE: Current standards/criteria for 'Undefined Behavior'
- Index(es):
