Full Disclosure mailing list archives
RE: Mozilla Firefox "Host:" Buffer Overflow
From: Roberto Gomez Bolaños <wari00 () gmail com>
Date: Mon, 12 Sep 2005 20:03:16 -0300
Larry Seltzer wrote:
And how exactly do you propose to "leave out the details and PoC" when the
presence of the bug and the steps taken to fix it can not be concelaed from public view given that the source code and the entire CVS entries are freely available for anyone to browse?
You really don't think it woudl slow them down?
who is "them" ? And you want to slow "them" down from doing... what? Maybe it is not evident to you that a source code diff between vulnerable and non-vulnerable versions of a software package is enough information to figure out all the details needed to identify and trigger the bug and to write an exploit for it it. After all, you are not suppossed to know this right? You're the security center editor for eWeek not some hardcore software developer or security expert. Hell, not even a source code diff is necessary anymore, a binary patch is sufficient to identify the bug and develop an exploit for it. So there! Thats some newsworthy information for your prestigious magazine maybe you should seek clearance from your sponsors to write about it. It will sell a bunch more copies. Trust me! THIS IS HOT NEWS Meanwhile, I am still waiting for your proposal for a way to leave out details and PoC for vulnerabilities found in open source projects.
The proposal for obscurity serves well closed-source innitiatives and
development processes that have limited or no public visibility but it fails in the presence of OSS. The "responsible disclosure" advocates act as if Linux,*BSD,Mozilla and a zillion other open source projects did not exist in reality.
The Mozilla team obviously disagrees with you, since they do try to hide unresolved security problems, at least until (as in this case) the beans get spilled in some other way.
Hmm may be... but then again how is that different from MSRC then? In any case, I can not say how the Mozilla or other OSS development teams work and if they do try to hide security vulnerabilities or not but what I can do is browse their CVS tree and bug tracking system: https://bugzilla.mozilla.org/show_bug.cgi?id=307259 So what I read in the publicly available bug entry above does not support your theory, perhaps you have some secret 3l337 knowledge about how the team really works WRT security flaws that you want to share with the list? uhm no wait I forgot... not talking about this will slow THEM down
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Mozilla Firefox "Host:" Buffer Overflow, (continued)
- Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Jerome Athias (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow milw0rm Inc. (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow ipatches (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Adam Polkosnik (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Todd Towles (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Roberto Gomez Bolaños (Sep 10)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 10)
- RE: Mozilla Firefox "Host:" Buffer Overflow Roberto Gomez Bolaños (Sep 12)