[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Current standards/criteria for 'Undefined Behavior'



Brian,

We are not entirely sure what you mean by "undefined behavior."  Are 
you talking about the CVE entries that specifically say "undefined 
behavior," such as CVE-2017-8326 and CVE-2017-7961?

Thanks,
Jonathan 

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Tuesday, May 02, 2017 1:26 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Current standards/criteria for 'Undefined Behavior'
Importance: High

MITRE,

Can you outline the current standards, criteria, or guidelines you use 
for assigning an ID to an issue that is simply 'undefined behavior' 
with no indication of exploitability or crossing privilege boundaries? 
We're seeing these a bit more frequently lately and they often appear 
to get an ID without any examination by the researcher or MITRE. In 
many cases, subsequent analysis determines these are non-issues and are 
not exploitable.

Thanks,

Brian


Page Last Updated or Reviewed: May 09, 2017