Date: Mon, 17 Mar 2003 13:33:25 -0800 From: Andrew Houghton <aah@acm.org> To: gnome@freebsd.org Subject: mozilla w/ chatzilla really a problem? Message-ID: <3E763F25.8080905@acm.org>
next in thread | raw e-mail | index | archive | help
Not sure if a previous message got through, so I'm re-sending: ----- All the mozilla ports contain this little gem: WITHOUT_CHATZILLA= "Contains a buffer overflow reported at http://online.securityfocus.com/archive/1/270249" Reading that page, and following up in bugzilla, I'm left wondering why chatzilla isn't built by default. Everything in bugzilla on this subject seems to come down to bug 94448 (http://bugzilla.mozilla.org/show_bug.cgi?id=94448) though the bugs that are directly applicable to this issue are 141375 and 141692 (http://bugzilla.mozilla.org/show_bug.cgi?id=141375 and http://bugzilla.mozilla.org/show_bug.cgi?id=141692). From my reading of these, there don't appear to be any exploits. There also doesn't appear to be a problem directly relatable to chatzilla - I tried the local file exploits, and they don't appear to work. I haven't verified the issue with chatzilla not accepting hugely long input strings, though it does crash on my Redhat 8.0 box. For that matter, I can bring mozilla down by just pasting 10000 '.' characters into the location text box on Redhat 8.0, too, but it doesn't exhibit the same behavior on FreeBSD 5.0-p4. So -- what's the right answer here? First, does anyone believe that using chatzilla exposes me to known security issues? Second, what would need to happen to get this warning removed from the ports? - a. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E763F25.8080905>