[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] swfdec 0.6.8 stable update
From: Nico Golde <oss-security+ml () ngolde ! de>
Date: 2008-08-23 16:21:57
Message-ID: 20080823162156.GA11010 () ngolde ! de
[Download RAW message or body]
Hi Marcus,
* Marcus Meissner <meissner@suse.de> [2008-08-23 18:05]:
> On Tue, Aug 19, 2008 at 06:22:57PM +0200, Nico Golde wrote:
> > * Marcus Meissner <meissner@suse.de> [2008-08-19 16:48]:
> > > Wonder if we should track updates for swfdec. The 0.6.8 announcement
> > > looks like it at least fixes several Denial of Service problems:
> > [...]
> > I have problems to understand why this would be a Denial of
> > Service. While I don't share the opinion about browser
> > crashes I think there are at least good arguments for both
> > sides.
>
> If it can be triggered by a SWF on the website, I would perhaps
> call it a security issue.
>
> If it crashes the SWF mozilla plugin and so the browser, it is
> a denial of service in my eyes.
I'm not sure how firefox handles this, at least opera does
not crash if the flash plugin crashes.
> More importantly if code execution is possible.
That should be self-evident.
[...]
> > It would be interesting what is causing this crash and if
> > there is underlying a more serious issue.
>
> Not really investigated and no time :/ Since swfdec is beta and not yet
> wildy iin use we could let it rest.
Yeah same here, maybe we can get comments about this by the
upstream people.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Attachment #3 (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic