Date: 17 Mar 2003 16:30:48 -0500 From: Joe Marcus Clarke <marcus@marcuscom.com> To: Andrew Houghton <aah@acm.org> Cc: FreeBSD GNOME Users <gnome@freebsd.org> Subject: Re: mozilla w/ chatzilla really a problem? Message-ID: <1047936648.375.55.camel@gyros> In-Reply-To: <3E763F25.8080905@acm.org> References: <3E763F25.8080905@acm.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-rmQCczx5fPVyhKRhjUhf Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2003-03-17 at 16:33, Andrew Houghton wrote: > Not sure if a previous message got through, so I'm re-sending: It got through. I can re-enable ChatZilla support in 1.3. I haven't followed up to see if the security hole was still an issue, and so far, no one has asked. Joe >=20 > ----- >=20 > All the mozilla ports contain this little gem: >=20 > WITHOUT_CHATZILLA=3D "Contains a buffer overflow reported at > http://online.securityfocus.com/archive/1/270249" >=20 > Reading that page, and following up in bugzilla, I'm left wondering why > chatzilla isn't built by default. Everything in bugzilla on this > subject seems to come down to bug 94448 > (http://bugzilla.mozilla.org/show_bug.cgi?id=3D94448) though the bugs tha= t > are directly applicable to this issue are 141375 and 141692 > (http://bugzilla.mozilla.org/show_bug.cgi?id=3D141375 and > http://bugzilla.mozilla.org/show_bug.cgi?id=3D141692). >=20 > From my reading of these, there don't appear to be any exploits. There > also doesn't appear to be a problem directly relatable to chatzilla - I > tried the local file exploits, and they don't appear to work. I haven't > verified the issue with chatzilla not accepting hugely long input > strings, though it does crash on my Redhat 8.0 box. For that matter, I > can bring mozilla down by just pasting 10000 '.' characters into the > location text box on Redhat 8.0, too, but it doesn't exhibit the same > behavior on FreeBSD 5.0-p4. >=20 > So -- what's the right answer here? First, does anyone believe that > using chatzilla exposes me to known security issues? Second, what would > need to happen to get this warning removed from the ports? >=20 > - a. >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-gnome" in the body of the message --=20 PGP Key : http://www.marcuscom.com/pgp.asc --=-rmQCczx5fPVyhKRhjUhf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+dj6Ib2iPiv4Uz4cRAs01AJ9qgktEp2PzPnNqA1kaZktyP6ucggCfQti8 kUXxBc7zDseNXYFWRuBoirc= =yIgC -----END PGP SIGNATURE----- --=-rmQCczx5fPVyhKRhjUhf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1047936648.375.55.camel>