Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 26 Nov 2016 17:47:59 -0500
From: <cve-assign@...re.org>
To: <gustavo.grieco@...il.com>
CC: <cve-assign@...re.org>, <oss-security@...ts.openwall.com>
Subject: Re: CVE request: DoS loading a SVG in Firefox

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> cause Firefox to consume all your memory. Once you click, you
> cannot stop the memory constant memory leak. It can take a few minutes
> (we tested in a desktop computer with 16GB). At the end, Firefox will
> abort or it will be terminated by the OS.

> This issue was recently minimized and isolated to the circular use of
> xlink:hrefs:
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=1297206#c5
> 
> Is a CVE suitable for this DoS?

At present, it is not. The MITRE CVE team relies on Mozilla to assign
CVE IDs for Firefox, on the basis of Mozilla's knowledge about their
customers' needs for tracking bugs. This does not mean that Mozilla
can have any arbitrary policy about what bugs are suitable for CVEs;
however, we want to defer to them to the greatest reasonable extent.
For example, there is a vast amount of public information about parts
of the Firefox code that are associated with crashes, e.g., see

  https://crash-stats.mozilla.com/topcrashers/?product=Firefox&version=50.0&_facets_size=300

where someone could conceivably request thousands of CVE IDs.

In this specific xlink:href situation, apparently it is known that the
process termination is solely the result of excessive memory
consumption. From Mozilla's perspective, visiting any untrusted URL
(such as a URL with an SVG document) has an expected outcome (or
"impact") that Firefox MIGHT attempt to use an extremely large amount
of memory. They are not tracking these cases with CVE IDs, and it
seems reasonable that they would not want to. For Firefox, their
customers expect to have CVE IDs that correspond to Mozilla Foundation
Security Advisory documents. A general-purpose web browser has a huge
attack surface, and (compared to other products) may have a different
decision point about what behavior is within the range of expected
impacts, versus what behavior is a vulnerability.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIbBAEBCAAGBQJYOg/aAAoJEHb/MwWLVhi22MoP92yMH3wBweWZf+Wem3KJuw1h
2IFhNnwwjmZci4TSNFA+OqBoOKBzc5bdyUT+SdxV9va6Bo559UphPtx6wdWpho79
cSyvtEnzNdvZS7N+fL+HY1cjHco8lk7LHCqjGIiSCkwIPpciEfG7gyIqgr12bq+A
ONTDliKkZXJNxY7uYgUvf673Lm45VhTGRxdSWUUsdGa3n+NhO7IfZom1Pd/UdOGQ
Lc/Ds8sY2jLGUT0qHO23KE80XBELhn/iUc5/xJATZh2VrmkFZtm2xWudEnrmi+fU
k3fOU8MCeCFKySSMp4VhAyAg1/2AexxXSKxPkyms7nnr38tiRBeTSz7KX5Vzz1iV
9pfiOfNSmx22ZmnZTq8Ei6R5WxVtpZasBD+VyqtP4gUeP56h7DxVpmYEpjTcFKNm
oiYkh7mXn1jDw52n6FsCMPC19UmsUiVkpzSZoVjOH7ul/KbInn8HMJe6miB/3EWR
iWwB/X9w2ZaOMrbfvkW0a+EYAZ8IpDKTRU/j9E7SA0ME9sfdJ2ocaYBbYLxivoTP
0IiK2OuRltf4Wmwxadn29FAdecxqm0BXxcPInaGuvgLa8VNlevv4Ib3h75UcuKws
vtMlbK5vF0oJl3aWG5XmkUEh01N7JrqAwjxi1J0L29MymKS6zg/u2MG5EgLOhL1D
VLnRzNDzJWpCh4aX0NU=
=IKs3
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ