oss-sec mailing list archives
regarding CVE-2008-4382 & CVE-2008-4381
From: Nico Golde <nico () ngolde de>
Date: Fri, 3 Oct 2008 19:50:00 +0200
Hi, I just had a look at CVE-2008-4382 which is the same issue as CVE-2008-4381 but just for conqueror should not get its own CVE id in my opinion. We at Debian don't handle browser issues like this as security issues anyway but in this case looking at the PoC this would work in every browser supporting JavaScript as this is just a trivial memory consumption issue by passing a very large string too the alert function and thus eating memory, a simple while(true){} would be equally effective for eating cpu cycles which I wouldn't consider as a vulnerability either... I verified this at least with firefox and opera. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
_bin
Description:
Current thread:
- regarding CVE-2008-4382 & CVE-2008-4381 Nico Golde (Oct 03)
- Re: regarding CVE-2008-4382 & CVE-2008-4381 Steven M. Christey (Oct 03)
- Re: regarding CVE-2008-4382 & CVE-2008-4381 Nico Golde (Oct 03)
- Re: regarding CVE-2008-4382 & CVE-2008-4381 Steven M. Christey (Oct 03)
- Re: regarding CVE-2008-4382 & CVE-2008-4381 Steven M. Christey (Oct 03)