On Tue, Oct 07, 2014 at 11:40:53PM -0400, Bill Blough wrote: > In my opinion, people *shouldn't* be running untrusted stylesheets any more > than they should run untrusted shell scripts or other code. If we > conveniently > ignore that sometimes people do things that are unwise, then I would say the > likelyhood is low.
In that case, it's a "normal" severity bug at most. Most of Turing-complete languages allow OOMing, and if Xalan stylesheets can already run arbitrary code, an attacker can do things a lot funnier than just OOM. -- // If you believe in so-called "intellectual property", please immediately // cease using counterfeit alphabets. Instead, contact the nearest temple // of Amon, whose priests will provide you with scribal services for all // your writing needs, for Reasonable and Non-Discriminatory prices. -- To UNSUBSCRIBE, email to debian-mentors-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141008043850.ga19...@angband.pl
