[<prev] [next>] [<thread-prev] [month] [year] [list]
Date: Sat, 23 Aug 2008 18:21:57 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: swfdec 0.6.8 stable update
Hi Marcus,
* Marcus Meissner <meissner@...e.de> [2008-08-23 18:05]:
> On Tue, Aug 19, 2008 at 06:22:57PM +0200, Nico Golde wrote:
> > * Marcus Meissner <meissner@...e.de> [2008-08-19 16:48]:
> > > Wonder if we should track updates for swfdec. The 0.6.8 announcement
> > > looks like it at least fixes several Denial of Service problems:
> > [...]
> > I have problems to understand why this would be a Denial of
> > Service. While I don't share the opinion about browser
> > crashes I think there are at least good arguments for both
> > sides.
>
> If it can be triggered by a SWF on the website, I would perhaps
> call it a security issue.
>
> If it crashes the SWF mozilla plugin and so the browser, it is
> a denial of service in my eyes.
I'm not sure how firefox handles this, at least opera does
not crash if the flash plugin crashes.
> More importantly if code execution is possible.
That should be self-evident.
[...]
> > It would be interesting what is causing this crash and if
> > there is underlying a more serious issue.
>
> Not really investigated and no time :/ Since swfdec is beta and not yet
> wildy iin use we could let it rest.
Yeah same here, maybe we can get comments about this by the
upstream people.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux