Re: libical 0.47 SEGV on unknown address

[Brandon Perry <bperry.volatile () gmail com>]

> On Jun 25, 2016, at 10:34 AM, Alan Coopersmith <alan.coopersmith () oracle com> wrote:
>
> On 06/24/16 06:54 AM, Brandon Perry wrote:
> > I am posting this to Full Disclosure/OSS instead of reporting it because I have
> > opened a handful of libical bugs in the Mozilla bug tracker, alerted
> > security () mozilla org <mailto:security () mozilla org>, and worked to show how and
> > where to reproduce the bugs in Thunderbird, but Mozilla hasn’t shown any care at
> > all about the bugs. Perhaps if I give a sample to the community of the bugs in
> > the bug reports, Mozilla will take the bug reports more seriously. This bug
> > attached had not been reported yet.
>
> Did you report them to libcial upstream?  http://libical.github.io/libical/ <http://libical.github.io/libical/>

I had initially asked for contact information regarding reporting potentially sensitive security test cases, but after 
a couple of days, I decided to look into another product that I figured would have more visibility and more power to 
get things fixed.

https://github.com/libical/libical/issues/235 <https://github.com/libical/libical/issues/235>
> > My roommate mentioned Thunderbird being a second-class citizen in the Mozilla
> > world, so if this is the case, this should be made explicit in regards to bug
> > bounty expectations.
>
> While Thunderbird is still a beloved child of Mozilla, it's been told it's time
> to move out of its parents house and find its own sources of income/support:
>
> https://groups.google.com/d/msg/mozilla.governance/kAyVlhfEcXg/Eqyx1X62BQAJ
> https://blog.mozilla.org/thunderbird/2015/12/thunderbird-active-daily-inquiries-surpass-10-million/
>
> --
>       -Alan Coopersmith-              alan.coopersmith () oracle com
>        Oracle Solaris Engineering - http://blogs.oracle.com/alanc

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail