From owner-freebsd-gnome Mon Mar 17 13:28:35 2003 Delivered-To: freebsd-gnome@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C458737B401 for ; Mon, 17 Mar 2003 13:28:33 -0800 (PST) Received: from mail.impactonline.org (mail.impactonline.org [192.220.110.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 640BE43F3F for ; Mon, 17 Mar 2003 13:28:33 -0800 (PST) (envelope-from aah@acm.org) Received: from acm.org (ip-64-139-6-196.dsl.sca.megapath.net [64.139.6.196]) by mail.impactonline.org (8.12.6) id h2HLSWDK062316 for ; Mon, 17 Mar 2003 14:28:32 -0700 (MST) Message-ID: <3E763F25.8080905@acm.org> Date: Mon, 17 Mar 2003 13:33:25 -0800 From: Andrew Houghton User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030211 X-Accept-Language: en-us, en MIME-Version: 1.0 To: gnome@freebsd.org Subject: mozilla w/ chatzilla really a problem? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-gnome@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Not sure if a previous message got through, so I'm re-sending: ----- All the mozilla ports contain this little gem: WITHOUT_CHATZILLA= "Contains a buffer overflow reported at http://online.securityfocus.com/archive/1/270249" Reading that page, and following up in bugzilla, I'm left wondering why chatzilla isn't built by default. Everything in bugzilla on this subject seems to come down to bug 94448 (http://bugzilla.mozilla.org/show_bug.cgi?id=94448) though the bugs that are directly applicable to this issue are 141375 and 141692 (http://bugzilla.mozilla.org/show_bug.cgi?id=141375 and http://bugzilla.mozilla.org/show_bug.cgi?id=141692). From my reading of these, there don't appear to be any exploits. There also doesn't appear to be a problem directly relatable to chatzilla - I tried the local file exploits, and they don't appear to work. I haven't verified the issue with chatzilla not accepting hugely long input strings, though it does crash on my Redhat 8.0 box. For that matter, I can bring mozilla down by just pasting 10000 '.' characters into the location text box on Redhat 8.0, too, but it doesn't exhibit the same behavior on FreeBSD 5.0-p4. So -- what's the right answer here? First, does anyone believe that using chatzilla exposes me to known security issues? Second, what would need to happen to get this warning removed from the ports? - a. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message