Full Disclosure mailing list archives

RE: Mozilla Firefox "Host:" Buffer Overflow

From: Roberto Gomez Bolaños <wari00 () gmail com>
Date: Fri, 9 Sep 2005 19:36:01 -0300

And how exactly do you propose to "leave out the details and PoC" when
the presence of the bug and the steps taken to fix it can not be
concelaed from public view given that the source code and the entire
CVS entries are freely available for anyone to browse?

Mozilla users are getting the consideration they deserve. They deserve
to know what code they are running whenver the feel like doing so and
to know what the mozilla team is doing with the code. That's probably
one of the reasons why they run Firefox in the first place (but not
necesarily the only or more important one).

The proposal for obscurity serves well closed-source innitiatives and
development processes that have limited or no public visibility but it
fails in the presence of OSS. The "responsible disclosure" advocates
act as if Linux,*BSD,Mozilla and a zillion other open source projects
did not exist in reality.

Perhaps what was needed was to report the IE and SP2 vulnerabilities
in a similar fashion and not the opposite, but alas the reported
probably did not want the MSRC meat-grinding PR machinery going after
him.

----
Two interesting points: 

1) It took several minutes and more browsing elsewhere (in Bugzilla) before
my browser blew up after testing the POC.

2) When you reported a "Windows XP SP2 IE 6.0 Vulnerability"
(http://security-protocols.com/modules.php?name=News&file=article&sid=2891)
and a "Windows XP SP2 Remote Kernel DoS"
(http://security-protocols.com/modules.php?name=News&file=article&sid=2783)
you left the details of the bug and the POC out. Personally, I generally
approve of that, but why don't Mozilla users deserve as much consideration?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Mozilla Firefox "Host:" Buffer Overflow, (continued)
- - - Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
    - Re: Mozilla Firefox "Host:" Buffer Overflow Dave Aitel (Sep 09)
    - Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Jerome Athias (Sep 09)
  - Re: Mozilla Firefox "Host:" Buffer Overflow milw0rm Inc. (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow ipatches (Sep 09)
  - Re: Mozilla Firefox "Host:" Buffer Overflow Adam Polkosnik (Sep 09)
  - RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
    - RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Todd Towles (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Roberto Gomez Bolaños (Sep 10)
  - RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 10)
- RE: Mozilla Firefox "Host:" Buffer Overflow Roberto Gomez Bolaños (Sep 12)