On Wed, Jul 16, 2008 at 05:22:59PM +0200, Nico Golde <[EMAIL PROTECTED]> wrote: > Hi Mike, > * Mike Hommey <[EMAIL PROTECTED]> [2008-07-16 17:00]: > > On Wed, Jul 16, 2008 at 04:14:48PM +0200, Nico Golde <[EMAIL PROTECTED]> > > wrote: > > > note that CVE-2008-2785 has been fixed with the 3.0.1-1 > > > upload referring to the upstream security advisory on > > > http://www.mozilla.org/security/announce/2008/mfsa2008-34.html > > > > Note that 3.0.1-1 was uploaded before the upstream security advisory > > was released, so it doesn't refer to the MFSA or CVE numbers. > > Yes sure. > > > Also note that technically, these bugs affect the xulrunner-1.9 package, > > not the iceweasel package. But iceweasel 3.0.1-1 depending on xulrunner-1.9 > > >> 1.9~rc2-5, and 1.9.0.1-1 being next after 1.9~rc2-5, this is roughly the > > same (except for epiphany and friends, but the BTS is surely not the > > best place to keep proper security fix versioning, security-tracker should > > be) > > Ok thanks, added xulrunner 1.9.0.1-1 to the list of fixed > packages at the security-tracker. > > > > Unfortunately it is not yet clear whether CVE-2008-2786 is > > > the same issue or not. > > > > There are two fixes in the diff between 3.0 and 3.0.1 that look like > > overflow fixing, and that are very similar: > > one in layout/style/nsCSSValue.h and one in > > rdf/base/src/nsInMemoryDataSource.cpp. > > > > Maybe each CVE refers to each of these. > > > > There is also a crash bug that is fixed, but MFSA-2008-24 explicitely > > talks about CVE-2008-2785, so this leaves only CVE-2008-2786 as unexplained, > > and CVE-2008-2786 is about a buffer overflow, which is not what the fixed > > crash seems to lead to, I'd say. This crash is: > > https://bugzilla.mozilla.org/show_bug.cgi?id=440473 > > > > Note that if that were really CVE-2008-2786, it would not be a public bug. > > > > So it looks pretty much like both are fixed. If you don't agree, feel > > free to reopen. > > I reopen this bug for now as there is not clear evidence > about what CVE-2008-2786 is as long as the researcher who > posted the hashes on full-disclosure comes up with the > details. I'm not even sure if he informed the mozilla people > about the vulnerability. > > I suggest cloning this bug, assigning one to CVE-2008-2786 > and one to CVE-2008-2785, closing the latter one and tagging > the first one with moreinfo. > > What do you think?
Go ahead. You may want to reassign to xulrunner-1.9 at the same time. (and maybe clone for iceweasel and iceape in stable, and iceape in unstable, 1.1.11 will fix CVE-2008-2785) Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
