From owner-freebsd-gnome Fri Mar 14 20:25:16 2003 Delivered-To: freebsd-gnome@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF5F137B401 for ; Fri, 14 Mar 2003 20:25:14 -0800 (PST) Received: from mail.speakeasy.net (mail13.speakeasy.net [216.254.0.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59C8343FBD for ; Fri, 14 Mar 2003 20:25:14 -0800 (PST) (envelope-from aah@volunteermatch.org) Received: (qmail 1347 invoked from network); 15 Mar 2003 04:25:27 -0000 Received: from unknown (HELO volunteermatch.org) (aah@[216.27.178.67]) (envelope-sender ) by mail13.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 15 Mar 2003 04:25:27 -0000 Message-ID: <3E72AB23.1040700@volunteermatch.org> Date: Fri, 14 Mar 2003 20:25:07 -0800 From: Andrew Houghton User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.3b) Gecko/20030309 X-Accept-Language: en-us, en MIME-Version: 1.0 To: gnome@freebsd.org Subject: mozilla w/ chatzilla really a problem? Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-gnome@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG All the mozilla ports contain this little gem: WITHOUT_CHATZILLA= "Contains a buffer overflow reported at http://online.securityfocus.com/archive/1/270249" Reading that page, and following up in bugzilla, I'm left wondering why chatzilla isn't built by default. Everything in bugzilla on this subject seems to come down to bug 94448 (http://bugzilla.mozilla.org/show_bug.cgi?id=94448) though the bugs that are directly applicable to this issue are 141375 and 141692 (http://bugzilla.mozilla.org/show_bug.cgi?id=141375 and http://bugzilla.mozilla.org/show_bug.cgi?id=141692). From my reading of these, there don't appear to be any exploits. There also doesn't appear to be a problem directly relatable to chatzilla - I tried the local file exploits, and they don't appear to work. I haven't verified the issue with chatzilla not accepting hugely long input strings, though it does crash on my Redhat 8.0 box. For that matter, I can bring mozilla down by just pasting 10000 '.' characters into the location text box on Redhat 8.0, too, but it doesn't exhibit the same behavior on FreeBSD 5.0-p4. So -- what's the right answer here? First, does anyone believe that using chatzilla exposes me to known security issues? Second, what would need to happen to get this warning removed from the ports? - a. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message