Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 26 Nov 2016 17:47:59 -0500
From: <>
To: <>
CC: <>, <>
Subject: Re: CVE request: DoS loading a SVG in Firefox

Hash: SHA256

> cause Firefox to consume all your memory. Once you click, you
> cannot stop the memory constant memory leak. It can take a few minutes
> (we tested in a desktop computer with 16GB). At the end, Firefox will
> abort or it will be terminated by the OS.

> This issue was recently minimized and isolated to the circular use of
> xlink:hrefs:
> Is a CVE suitable for this DoS?

At present, it is not. The MITRE CVE team relies on Mozilla to assign
CVE IDs for Firefox, on the basis of Mozilla's knowledge about their
customers' needs for tracking bugs. This does not mean that Mozilla
can have any arbitrary policy about what bugs are suitable for CVEs;
however, we want to defer to them to the greatest reasonable extent.
For example, there is a vast amount of public information about parts
of the Firefox code that are associated with crashes, e.g., see

where someone could conceivably request thousands of CVE IDs.

In this specific xlink:href situation, apparently it is known that the
process termination is solely the result of excessive memory
consumption. From Mozilla's perspective, visiting any untrusted URL
(such as a URL with an SVG document) has an expected outcome (or
"impact") that Firefox MIGHT attempt to use an extremely large amount
of memory. They are not tracking these cases with CVE IDs, and it
seems reasonable that they would not want to. For Firefox, their
customers expect to have CVE IDs that correspond to Mozilla Foundation
Security Advisory documents. A general-purpose web browser has a huge
attack surface, and (compared to other products) may have a different
decision point about what behavior is within the range of expected
impacts, versus what behavior is a vulnerability.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.