[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41A64BD2.7060906@osafoundation.org>
From: heikki at osafoundation.org (Heikki Toivonen)
Subject: FIREFOX flaws: nested array sort() loop Stack
overflow exception
Berend-Jan Wever wrote:
> I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course "how to write a bug report" and go through all that bugzilla crap.
Well, Mozilla does have a well know security email alias for those who
don't have the time to do a crash course on Bugzilla - see
http://www.mozilla.org/projects/security/security-bugs-policy.html (but
if you don't have time visit that link, I'll save you the trouble and
say it starts with security@.....)
Bugzilla really isn't that difficult either. Below are detailed
instructions if anyone cares. Steps 4-6 you can ignore if you already
have a Bugzilla account. Step 9 gives detailed info on what to fill in
the actual bug reporting form. There are only two critically important
pieces on that form: the details text box, and the security checkbox.
However, carefully filling in as much information as you can will make
it likelier the bug gets fixed faster.
1. Type bugzilla.mozilla.org in your browsers location bar and go there
2. Click the link: "Report A Bug"
3. Either login if you already have an account, or click "create new
account". Let's assume we need to create a new account...
4. Type in a valid email address and click "Create Account"
5. [mail] Read email that was sent to the address to get password
6. back on in the browser, click "log in here"
7. fill in your username and password and click "login"
8. Select product link, for example "Firefox"
9. there's a form to fill in, let's go this part over in detail since I
think this is the scariest part:
9.1 There is a search box, but if you are reporting a security bug in
the latest product, chances are there are no dupes so just jump on over
9.2 Select a component that you think most closely describes where the
problem occurs - if you can't figure out, just choose something, for
example "General"
9.3 Hardware, operating system and build identifier are already filled
in correctly for you if you are reporting the bug in the same product
where you found it - if you can't figure these out, don't worry - just
describe the stuff later on
9.4 If you know a URL where this happens (for example a testcase), fill
that in
9.5 Give a brief summary
9.6 The details are next - basically what you'd put in a vulnerability
report email or post goes here
9.7 Next it's going to ask even in more details, just to make sure the
developers get all the info - if you already filled these parts in the
details section, you can ignore them. The fields are: reproducibility,
steps to reproduce, actual results, expected results, additional information
9.8 IMPORTANT: Check that security box! This way your bug will get the
speediest attention, and it will also restrict people access to the bug
until it is opened (either by you or someone else)
9.9 lastly severity
10. Submit bug report, and you are done!
Then, whenever someone changes the bug, you will get an email of the
changes with a link to the bug. People may ask you more questions etc.
Commenting on the bug later on is trivial - just go the URL (Bugzilla
may ask you to login again), type in your comments in the "Additional
Comments" textbox and hit the "Commit" button. There are a lot of other
fields, but typically the developers and more experienced Bugzilla users
will take care of changing those. At this point the bug basically
resembles a normal web forum from user's point of view.
And if you really have the time, I recommend you go read the docs that
are linked under the "When reporting a bug" section on
https://bugzilla.mozilla.org/
--
Heikki Toivonen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041125/b9a8e928/signature.bin
Powered by blists - more mailing lists