Date: 04 May 2002 12:32:44 -0400 From: Joe Marcus Clarke <marcus@FreeBSD.org> To: Eric Brunner-Williams in Portland Maine <brunner@nic-naa.net> Cc: darin@netscape.com, harishd@netscape.com, Martin Blapp <mbr@FreeBSD.org>, cvs-committers@FreeBSD.org, security-officer@FreeBSD.org, gnome@FreeBSD.org Subject: Re: cvs commit: ports/www/mozilla Makefile Message-ID: <1020529964.295.7.camel@gyros.marcuscom.com> In-Reply-To: <200205041218.g44CIbkx007470@nic-naa.net> References: <200205041218.g44CIbkx007470@nic-naa.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 2002-05-04 at 08:18, Eric Brunner-Williams in Portland Maine wrote: > [cvs-all un-cc'd, darin@netscape.com, harishd@netscape.com cc'd.] > > > Speak of the devil ;-). I think this patch corrects not only the > > security hole, but also the resulting seg fault from the initial patch. > > Please test if you can, and let me know. It worked for me. > > > > Joe > > Bonsai shows that: > the change to uriloader/base/nsDocLoader.cpp == 3.252. > (Apr 30, fixes bug 141061 > XMLHttpRequest allows reading of local files) > the change to netwerk/protocol/http/src/Makefile == 1.57 > (also 141061) > the change to netwerk/protocol/http/src/nsHttpChannel.cpp == 1.115 > (also 141061) > > but > the change to htmlparser/src/CNavDTD.cpp == 3.384 > (Apr 16, fixes bug 137644 > crash when XMLHttpRequest tries to load HTML) > > Now I wouldn't have noticed either yesterday, as I work off of cvs from > cvs.mozilla.org, not the tarball in the ports collection. Besides, I live > in Maine and have fewer neurons than a lobster. > > Why was a delta made more than two weeks ago (CNavDTD.cpp, the possible > culprit in one reported crash), to the seamonkey cvs tree, made out-of-band > (from the ports/www/mozilla tarball fetch) in mail today? > > Why are we (freebsd) marking ports/www/mozilla/Makefile FORBIDDEN on 3 May, > not to mention tracking by the greymagic URL, not a mozilla bugid, when a > fix for the bug was committed (verified fixed) on 30 April? Well, according to greymagic, Mozilla/Netscape never responded to the initial vulnerability warning. They waiting six days, and then went public. Honestly, I missed the initial warning. Martin reported it to me, and I got busy, so he marked the port FORBIDDEN. After pasting some things together from Bugzilla, I found a patch that fixed the bug in 1.0.rc1, and didn't result in a crash. I'm just trying to get the port buildable and reasonably secure before ports freeze. Joe > > I probably need a cup of coffee, but I'm surprised by the disconnect(s), > both of them. > > Well, off to the races, -STABLE, w/SMP, cvsup'd yesterday, mozilla cvs'd > this morning ... > # uname -a > FreeBSD nic-naa.net 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #1: Sat May 4 06:42:26 EDT 2002 brunner@nic-naa.net:/usr/obj/config/ABENAKI-SMP i386 > > Eric > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1020529964.295.7.camel>