From owner-freebsd-gnome Sat May 4 9:33:13 2002 Delivered-To: freebsd-gnome@freebsd.org Received: from gyros.marcuscom.com (dhcp-64-102-60-52.cisco.com [64.102.60.52]) by hub.freebsd.org (Postfix) with ESMTP id 5137D37B41A; Sat, 4 May 2002 09:33:01 -0700 (PDT) Received: from gyros.marcuscom.com (localhost [127.0.0.1]) by gyros.marcuscom.com (8.12.3/8.12.3) with ESMTP id g44GWsOV000361; Sat, 4 May 2002 12:32:54 -0400 (EDT) (envelope-from marcus@FreeBSD.org) Received: (from marcus@localhost) by gyros.marcuscom.com (8.12.3/8.12.3/Submit) id g44GWiXr000360; Sat, 4 May 2002 12:32:44 -0400 (EDT) X-Authentication-Warning: gyros.marcuscom.com: marcus set sender to marcus@FreeBSD.org using -f Subject: Re: cvs commit: ports/www/mozilla Makefile From: Joe Marcus Clarke To: Eric Brunner-Williams in Portland Maine Cc: darin@netscape.com, harishd@netscape.com, Martin Blapp , cvs-committers@FreeBSD.org, security-officer@FreeBSD.org, gnome@FreeBSD.org In-Reply-To: <200205041218.g44CIbkx007470@nic-naa.net> References: <200205041218.g44CIbkx007470@nic-naa.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.3 Date: 04 May 2002 12:32:44 -0400 Message-Id: <1020529964.295.7.camel@gyros.marcuscom.com> Mime-Version: 1.0 Sender: owner-freebsd-gnome@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 2002-05-04 at 08:18, Eric Brunner-Williams in Portland Maine wrote: > [cvs-all un-cc'd, darin@netscape.com, harishd@netscape.com cc'd.] > > > Speak of the devil ;-). I think this patch corrects not only the > > security hole, but also the resulting seg fault from the initial patch. > > Please test if you can, and let me know. It worked for me. > > > > Joe > > Bonsai shows that: > the change to uriloader/base/nsDocLoader.cpp == 3.252. > (Apr 30, fixes bug 141061 > XMLHttpRequest allows reading of local files) > the change to netwerk/protocol/http/src/Makefile == 1.57 > (also 141061) > the change to netwerk/protocol/http/src/nsHttpChannel.cpp == 1.115 > (also 141061) > > but > the change to htmlparser/src/CNavDTD.cpp == 3.384 > (Apr 16, fixes bug 137644 > crash when XMLHttpRequest tries to load HTML) > > Now I wouldn't have noticed either yesterday, as I work off of cvs from > cvs.mozilla.org, not the tarball in the ports collection. Besides, I live > in Maine and have fewer neurons than a lobster. > > Why was a delta made more than two weeks ago (CNavDTD.cpp, the possible > culprit in one reported crash), to the seamonkey cvs tree, made out-of-band > (from the ports/www/mozilla tarball fetch) in mail today? > > Why are we (freebsd) marking ports/www/mozilla/Makefile FORBIDDEN on 3 May, > not to mention tracking by the greymagic URL, not a mozilla bugid, when a > fix for the bug was committed (verified fixed) on 30 April? Well, according to greymagic, Mozilla/Netscape never responded to the initial vulnerability warning. They waiting six days, and then went public. Honestly, I missed the initial warning. Martin reported it to me, and I got busy, so he marked the port FORBIDDEN. After pasting some things together from Bugzilla, I found a patch that fixed the bug in 1.0.rc1, and didn't result in a crash. I'm just trying to get the port buildable and reasonably secure before ports freeze. Joe > > I probably need a cup of coffee, but I'm surprised by the disconnect(s), > both of them. > > Well, off to the races, -STABLE, w/SMP, cvsup'd yesterday, mozilla cvs'd > this morning ... > # uname -a > FreeBSD nic-naa.net 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #1: Sat May 4 06:42:26 EDT 2002 brunner@nic-naa.net:/usr/obj/config/ABENAKI-SMP i386 > > Eric > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message