| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOJKFBA8nnacOSaRfu3+nQrtgac+vauMC8voT0BsHeLtzU0P3g@mail.gmail.com> Date: Thu, 10 Jul 2014 13:50:52 -0500 From: Brandon Perry <bperry.volatile@...il.com> To: Nick Boyce <nick.boyce@...il.com> Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via Browser (LZO) Are we sure it isn't a plugin like mplayer or something that is popping the shell, and not FF itself? On Thu, Jul 10, 2014 at 11:20 AM, Nick Boyce <nick.boyce@...il.com> wrote: > On 9 July 2014 18:50, Lee <curtlee2002@...il.com> wrote: > > > I know nothing about this, but some friends kept posting a link to this > > video. I saw nothing about this in the mailing list, so I thought I > would > > post it to see if others have more info. > > https://www.youtube.com/watch?v=BcCDETzk4zc > > Well the video is allegedly uploaded by Don Bailey, who is the person > who did the LZO/LZ4 bug research that was recently responsibly > reported on the OSS list(s). And I did notice at the time that one of > the postings [1] in the ensuing discussion, from Yves-Alexis Perez, > gave a list of potentially affected open-source software which had > been identified by a source-code-scanning service. That list included > Firefox ... and since then I've been holding my breath waiting for the > other shoe to drop. > > Maybe this is that other shoe. > > I know nothing about the Firefox source-code, or where exactly the > vulnerable use of LZO/LZ4 might be. > > But it's odd that there hasn't been a peep out of Mozilla (e.g. no > emergency release announced for ESR or any other channel), despite the > vulnerability having been disclosed responsibly on private vendor > mailing lists, with a patch available, and plenty of time to > coordinate binary releases. > > Hey - maybe the bug is real, but the Youtube clip was uploaded by a > Bad Guy pretending to be Don, and all those of us (367 at time of > writing) who viewed the clip are now pwned :-) > > Dammit - if only we'd all signed up for keybase.io's weirdo > GPG-key-identifying service [2] then we could all have known whether > Youtube Don is really LZO Don ... > > Exciting times. > > [1] http://seclists.org/oss-sec/2014/q2/676 > [2] http://seclists.org/fulldisclosure/2014/Jun/102 > > Cheers > Nick > -- > Blessed are the peacemakers...for they shall be shot at from both sides. > ~~ A.M. Greeley > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists