[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] swfdec 0.6.8 stable update
From:       Nico Golde <oss-security+ml () ngolde ! de>
Date:       2008-08-23 16:21:57
Message-ID: 20080823162156.GA11010 () ngolde ! de
[Download RAW message or body]


Hi Marcus,
* Marcus Meissner <meissner@suse.de> [2008-08-23 18:05]:
> On Tue, Aug 19, 2008 at 06:22:57PM +0200, Nico Golde wrote:
> > * Marcus Meissner <meissner@suse.de> [2008-08-19 16:48]:
> > > Wonder if we should track updates for swfdec. The 0.6.8 announcement
> > > looks like it at least fixes several Denial of Service problems:
> > [...] 
> > I have problems to understand why this would be a Denial of 
> > Service. While I don't share the opinion about browser 
> > crashes I think there are at least good arguments for both 
> > sides.
> 
> If it can be triggered by a SWF on the website, I would perhaps
> call it a security issue.
> 
> If it crashes the SWF mozilla plugin and so the browser, it is
> a denial of service in my eyes.

I'm not sure how firefox handles this, at least opera does 
not crash if the flash plugin crashes.

> More importantly if code execution is possible.

That should be self-evident.

[...] 
> > It would be interesting what is causing this crash and if 
> > there is underlying a more serious issue.
> 
> Not really investigated and no time :/ Since swfdec is beta and not yet
> wildy iin use we could let it rest.

Yeah same here, maybe we can get comments about this by the 
upstream people.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Attachment #3 (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]