Hi Mike, * Mike Hommey <[EMAIL PROTECTED]> [2008-07-16 17:00]: > On Wed, Jul 16, 2008 at 04:14:48PM +0200, Nico Golde <[EMAIL PROTECTED]> > wrote: > > note that CVE-2008-2785 has been fixed with the 3.0.1-1 > > upload referring to the upstream security advisory on > > http://www.mozilla.org/security/announce/2008/mfsa2008-34.html > > Note that 3.0.1-1 was uploaded before the upstream security advisory > was released, so it doesn't refer to the MFSA or CVE numbers.
Yes sure. > Also note that technically, these bugs affect the xulrunner-1.9 package, > not the iceweasel package. But iceweasel 3.0.1-1 depending on xulrunner-1.9 > >> 1.9~rc2-5, and 1.9.0.1-1 being next after 1.9~rc2-5, this is roughly the > same (except for epiphany and friends, but the BTS is surely not the > best place to keep proper security fix versioning, security-tracker should > be) Ok thanks, added xulrunner 1.9.0.1-1 to the list of fixed packages at the security-tracker. > > Unfortunately it is not yet clear whether CVE-2008-2786 is > > the same issue or not. > > There are two fixes in the diff between 3.0 and 3.0.1 that look like > overflow fixing, and that are very similar: > one in layout/style/nsCSSValue.h and one in > rdf/base/src/nsInMemoryDataSource.cpp. > > Maybe each CVE refers to each of these. > > There is also a crash bug that is fixed, but MFSA-2008-24 explicitely > talks about CVE-2008-2785, so this leaves only CVE-2008-2786 as unexplained, > and CVE-2008-2786 is about a buffer overflow, which is not what the fixed > crash seems to lead to, I'd say. This crash is: > https://bugzilla.mozilla.org/show_bug.cgi?id=440473 > > Note that if that were really CVE-2008-2786, it would not be a public bug. > > So it looks pretty much like both are fixed. If you don't agree, feel > free to reopen. I reopen this bug for now as there is not clear evidence about what CVE-2008-2786 is as long as the researcher who posted the hashes on full-disclosure comes up with the details. I'm not even sure if he informed the mozilla people about the vulnerability. I suggest cloning this bug, assigning one to CVE-2008-2786 and one to CVE-2008-2785, closing the latter one and tagging the first one with moreinfo. What do you think? Kind regards -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpeoNUii4MQK.pgp
Description: PGP signature
