lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 1 Oct 2007 23:39:16 +0530
From: "Jimby Sharp" <jimbysharp@...il.com>
To: wac <waldoalvarez00@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Firefox 2.0.0.7 has a very serious
	calculation bug

>  Also notice that if there is really a problem in FF javascript engine it goes beyond the
> browser. You could run Tamarin, Spidermonkey or Rhino on the server side and perform some
> processing there with javascript.

For heaven's sake please try to understand that it is not a problem at all.

> As a side comment I wanted to tell you that what is out there on the internet is not a
> standart. Is what IE dictates. IE rules the internet whether you like or not.

Go and read the ECMA standard. A standard is standard and it has
nothing to do with IE.

> I don't think that's a fair comparison. If you make the right algorithm and you do not get the
>  expected results *is* not your fault but what are you sitting at (compiler, framework, library
> ...).

I fail to understand which part of my argument you failed to
understand. strcpy() provides the expected result for the right
algorithm so we do not say there is a bug in gcc. if someone uses
strcpy() to read user's input directly into a buffer, we say there is
a bug in the program.

Similarly, Firefox javascript floating point math gives expected
results. So there is no bug in Firefox. Now if you write a program
assuming the results of the floating math are absolutely accurate,
your program might have a bug.

---------------------------------------------------------------------------------------------
My protest against stupid Indian security researcher:-
Aditya K Sood is an asshole: http://secnichebogus.blogspot.com/
---------------------------------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ