lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: heikki at osafoundation.org (Heikki Toivonen)
Subject: FIREFOX flaws: nested array sort() loop Stack
 overflow exception

Berend-Jan Wever wrote:
> I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course "how to write a bug report" and go through all that bugzilla crap.

Well, Mozilla does have a well know security email alias for those who 
don't have the time to do a crash course on Bugzilla - see 
http://www.mozilla.org/projects/security/security-bugs-policy.html (but 
if you don't have time visit that link, I'll save you the trouble and 
say it starts with security@.....)

Bugzilla really isn't that difficult either. Below are detailed 
instructions if anyone cares. Steps 4-6 you can ignore if you already 
have a Bugzilla account. Step 9 gives detailed info on what to fill in 
the actual bug reporting form. There are only two critically important 
pieces on that form: the details text box, and the security checkbox. 
However, carefully filling in as much information as you can will make 
it likelier the bug gets fixed faster.

1. Type bugzilla.mozilla.org in your browsers location bar and go there
2. Click the link: "Report A Bug"
3. Either login if you already have an account, or click "create new 
account". Let's assume we need to create a new account...
4. Type in a valid email address and click "Create Account"
5. [mail] Read email that was sent to the address to get password
6. back on in the browser, click "log in here"
7. fill in your username and password and click "login"
8. Select product link, for example "Firefox"
9. there's a form to fill in, let's go this part over in detail since I 
think this is the scariest part:
9.1 There is a search box, but if you are reporting a security bug in 
the latest product, chances are there are no dupes so just jump on over
9.2 Select a component that you think most closely describes where the 
problem occurs - if you can't figure out, just choose something, for 
example "General"
9.3 Hardware, operating system and build identifier are already filled 
in correctly for you if you are reporting the bug in the same product 
where you found it - if you can't figure these out, don't worry - just 
describe the stuff later on
9.4 If you know a URL where this happens (for example a testcase), fill 
that in
9.5 Give a brief summary
9.6 The details are next - basically what you'd put in a vulnerability 
report email or post goes here
9.7 Next it's going to ask even in more details, just to make sure the 
developers get all the info - if you already filled these parts in the 
details section, you can ignore them. The fields are: reproducibility, 
steps to reproduce, actual results, expected results, additional information
9.8 IMPORTANT: Check that security box! This way your bug will get the 
speediest attention, and it will also restrict people access to the bug 
until it is opened (either by you or someone else)
9.9 lastly severity
10. Submit bug report, and you are done!

Then, whenever someone changes the bug, you will get an email of the 
changes with a link to the bug. People may ask you more questions etc. 
Commenting on the bug later on is trivial - just go the URL (Bugzilla 
may ask you to login again), type in your comments in the "Additional 
Comments" textbox and hit the "Commit" button. There are a lot of other 
fields, but typically the developers and more experienced Bugzilla users 
will take care of changing those. At this point the bug basically 
resembles a normal web forum from user's point of view.

And if you really have the time, I recommend you go read the docs that 
are linked under the "When reporting a bug" section on 
https://bugzilla.mozilla.org/

-- 
   Heikki Toivonen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041125/b9a8e928/signature.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ