From owner-freebsd-gnome Mon Mar 17 13:31: 3 2003 Delivered-To: freebsd-gnome@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F2A437B401 for ; Mon, 17 Mar 2003 13:31:01 -0800 (PST) Received: from creme-brulee.marcuscom.com (rdu57-17-158.nc.rr.com [66.57.17.158]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3415443F75 for ; Mon, 17 Mar 2003 13:31:00 -0800 (PST) (envelope-from marcus@marcuscom.com) Received: from [10.2.1.4] (vpn-client-4.marcuscom.com [10.2.1.4]) by creme-brulee.marcuscom.com (8.12.8/8.12.8) with ESMTP id h2HLTlrI006032; Mon, 17 Mar 2003 16:29:48 -0500 (EST) (envelope-from marcus@marcuscom.com) Subject: Re: mozilla w/ chatzilla really a problem? From: Joe Marcus Clarke To: Andrew Houghton Cc: FreeBSD GNOME Users In-Reply-To: <3E763F25.8080905@acm.org> References: <3E763F25.8080905@acm.org> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-rmQCczx5fPVyhKRhjUhf" Organization: MarcusCom, Inc. Message-Id: <1047936648.375.55.camel@gyros> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 17 Mar 2003 16:30:48 -0500 X-Spam-Status: No, hits=-39.2 required=5.0 tests=BAYES_00,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,QUOTE_TWICE_1,REFERENCES, REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-gnome@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-rmQCczx5fPVyhKRhjUhf Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Mon, 2003-03-17 at 16:33, Andrew Houghton wrote: > Not sure if a previous message got through, so I'm re-sending: It got through. I can re-enable ChatZilla support in 1.3. I haven't followed up to see if the security hole was still an issue, and so far, no one has asked. Joe >=20 > ----- >=20 > All the mozilla ports contain this little gem: >=20 > WITHOUT_CHATZILLA=3D "Contains a buffer overflow reported at > http://online.securityfocus.com/archive/1/270249" >=20 > Reading that page, and following up in bugzilla, I'm left wondering why > chatzilla isn't built by default. Everything in bugzilla on this > subject seems to come down to bug 94448 > (http://bugzilla.mozilla.org/show_bug.cgi?id=3D94448) though the bugs tha= t > are directly applicable to this issue are 141375 and 141692 > (http://bugzilla.mozilla.org/show_bug.cgi?id=3D141375 and > http://bugzilla.mozilla.org/show_bug.cgi?id=3D141692). >=20 > From my reading of these, there don't appear to be any exploits. There > also doesn't appear to be a problem directly relatable to chatzilla - I > tried the local file exploits, and they don't appear to work. I haven't > verified the issue with chatzilla not accepting hugely long input > strings, though it does crash on my Redhat 8.0 box. For that matter, I > can bring mozilla down by just pasting 10000 '.' characters into the > location text box on Redhat 8.0, too, but it doesn't exhibit the same > behavior on FreeBSD 5.0-p4. >=20 > So -- what's the right answer here? First, does anyone believe that > using chatzilla exposes me to known security issues? Second, what would > need to happen to get this warning removed from the ports? >=20 > - a. >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-gnome" in the body of the message --=20 PGP Key : http://www.marcuscom.com/pgp.asc --=-rmQCczx5fPVyhKRhjUhf Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA+dj6Ib2iPiv4Uz4cRAs01AJ9qgktEp2PzPnNqA1kaZktyP6ucggCfQti8 kUXxBc7zDseNXYFWRuBoirc= =yIgC -----END PGP SIGNATURE----- --=-rmQCczx5fPVyhKRhjUhf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message