From owner-freebsd-security@FreeBSD.ORG  Thu Aug 22 11:43:28 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 17924EF2
 for <freebsd-security@freebsd.org>; Thu, 22 Aug 2013 11:43:28 +0000 (UTC)
 (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
 by mx1.freebsd.org (Postfix) with ESMTP id CE4AE2589
 for <freebsd-security@freebsd.org>; Thu, 22 Aug 2013 11:43:27 +0000 (UTC)
Received: from nine.des.no (smtp.des.no [194.63.250.102])
 by smtp-int.des.no (Postfix) with ESMTP id AC93B40D2;
 Thu, 22 Aug 2013 11:43:26 +0000 (UTC)
Received: by nine.des.no (Postfix, from userid 1001)
 id 3CEC52FBBC; Thu, 22 Aug 2013 13:42:49 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Huzaifa Sidhpurwala <huzaifas@redhat.com>
Subject: Re: [oss-security] FreeBSD Security Advisory FreeBSD-SA-13:10.sctp
References: <201308220115.r7M1Fea3001317@freefall.freebsd.org>
 <86txiighrr.fsf@nine.des.no> <5215EC4F.1090405@redhat.com>
Date: Thu, 22 Aug 2013 13:42:48 +0200
In-Reply-To: <5215EC4F.1090405@redhat.com> (Huzaifa Sidhpurwala's message of
 "Thu, 22 Aug 2013 16:17:43 +0530")
Message-ID: <86ppt6gddz.fsf@nine.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: oss-security@lists.openwall.com, freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Aug 2013 11:43:28 -0000

Huzaifa Sidhpurwala <huzaifas@redhat.com> writes:
> Dag-Erling Sm=C3=B8rgrav <des@des.no> writes:
> > This also affects third-party software (Firefox, at the very least)
> > that incorporates FreeBSD's SCTP implementation.
> Are you sure about this?

Allow me to amend my statement: this *may* also affect third-party
software that incorporates our SCTP implementation, including Mozilla
Firefox and Google Chrome.  I can neither confirm nor deny that they are
actually vulnerable; all I can say is that a) I have it on good
authority that they use the same code (JFGI!) and b) they were notified
in advance.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no