Re: remote DoS in Mozilla 1.0

From: Tom (tomat_private)
Date: Tue Jun 11 2002 - 06:35:14 PDT

Next message: Andreas Beck: "Re: remote DoS in Mozilla 1.0"

Previous message: Jon Keating: "RE: remote DoS in Mozilla 1.0"
In reply to: Stijn Jonker: "Re: remote DoS in Mozilla 1.0"
Next in thread: Andreas Beck: "Re: remote DoS in Mozilla 1.0"
Next in thread: Jon Keating: "RE: remote DoS in Mozilla 1.0"
Reply: Andreas Beck: "Re: remote DoS in Mozilla 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Jun 11, 2002 at 03:05:31PM +0200, Stijn Jonker wrote:
> Is this really a mozilla bug? 

It's a bug in X that becomes remote-exploitable through mozilla.

> The solution(s):
> 	(a) Fix every app to disallow font sizes bigger then <maxvalue>
> 	(b) Fix XFS to return an error code to the calling application 
> when requested font size is greater then configured <maxvalue>
> 
> Personally i would go for b.

Personally, I would go for both, with a limitation on a, namely that
apps that accept remote data (i.e. mozilla) should definitely do some
checking on that data before handing it to the local system (i.e. X).

-- 
New GPG Key issued (old key expired):
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tomat_private>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

Next message: Andreas Beck: "Re: remote DoS in Mozilla 1.0"
Previous message: Jon Keating: "RE: remote DoS in Mozilla 1.0"
In reply to: Stijn Jonker: "Re: remote DoS in Mozilla 1.0"
Next in thread: Andreas Beck: "Re: remote DoS in Mozilla 1.0"
Next in thread: Jon Keating: "RE: remote DoS in Mozilla 1.0"
Reply: Andreas Beck: "Re: remote DoS in Mozilla 1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 10:11:45 PDT