Re: swfdec 0.6.8 stable update

[Nico Golde <oss-security+ml () ngolde de>]

Hi Marcus,
* Marcus Meissner <meissner () suse de> [2008-08-23 18:05]:
> On Tue, Aug 19, 2008 at 06:22:57PM +0200, Nico Golde wrote:
> > * Marcus Meissner <meissner () suse de> [2008-08-19 16:48]:
> > > Wonder if we should track updates for swfdec. The 0.6.8 announcement
> > > looks like it at least fixes several Denial of Service problems:
> > [...] 
> > I have problems to understand why this would be a Denial of 
> > Service. While I don't share the opinion about browser 
> > crashes I think there are at least good arguments for both 
> > sides.
>
> If it can be triggered by a SWF on the website, I would perhaps
> call it a security issue.
>
> If it crashes the SWF mozilla plugin and so the browser, it is
> a denial of service in my eyes.

I'm not sure how firefox handles this, at least opera does 
not crash if the flash plugin crashes.

> More importantly if code execution is possible.

That should be self-evident.

[...] 
> > It would be interesting what is causing this crash and if 
> > there is underlying a more serious issue.
>
> Not really investigated and no time :/ Since swfdec is beta and not yet
> wildy iin use we could let it rest.

Yeah same here, maybe we can get comments about this by the 
upstream people.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: