lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <412B04B3.6050802@gerv.net>
From: gerv at gerv.net (Gervase Markham)
Subject: RE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases
 fix vulnerabilities

 > Gentoo Linux Security Advisory                        GLSA 200408-22
 >
 >   Severity: Normal
 >      Title: Mozilla, Firefox, Thunderbird: New releases fix
 >             vulnerabilities
 >       Date: August 23, 2004
 >       Bugs: #57380, #59419
 >         ID: 200408-22

<snip>

 > * An attacker may force the browser to execute arbitrary code from a
 >   malicious website by utilizing Mozilla's predictable cache file
 >   locations, and its ability to execute local files within the local
 >   zone.

As has been pointed out to the author of the relevant "advisory" several 
times, Mozilla has neither a "local zone" nor "predictable cache file 
locations". The author assumed that the random string generated for his 
cache file location was the same as everyone else's.

I wonder how Gentoo can have fixed, QAed and tested the fix for a 
vulnerability which doesn't exist?

(Note: none of the referenced CVE numbers in the advisory refer to this 
"issue".)

Gerv

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ