[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] libical 0.47 SEGV on unknown address
From: Brandon Perry <bperry.volatile () gmail ! com>
Date: 2016-06-25 15:41:16
Message-ID: C5D9B35B-045D-41DD-9419-14D50BE494BA () gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
> On Jun 25, 2016, at 10:34 AM, Alan Coopersmith <alan.coopersmith@oracle.com> wrote:
>
> On 06/24/16 06:54 AM, Brandon Perry wrote:
> > I am posting this to Full Disclosure/OSS instead of reporting it because I have
> > opened a handful of libical bugs in the Mozilla bug tracker, alerted
> > security@mozilla.org <mailto:security@mozilla.org>, and worked to show how and
> > where to reproduce the bugs in Thunderbird, but Mozilla hasn't shown any care at
> > all about the bugs. Perhaps if I give a sample to the community of the bugs in
> > the bug reports, Mozilla will take the bug reports more seriously. This bug
> > attached had not been reported yet.
>
> Did you report them to libcial upstream? http://libical.github.io/libical/ \
> <http://libical.github.io/libical/>
I had initially asked for contact information regarding reporting potentially sensitive \
security test cases, but after a couple of days, I decided to look into another product that I \
figured would have more visibility and more power to get things fixed.
https://github.com/libical/libical/issues/235 <https://github.com/libical/libical/issues/235>
>
> > My roommate mentioned Thunderbird being a second-class citizen in the Mozilla
> > world, so if this is the case, this should be made explicit in regards to bug
> > bounty expectations.
>
> While Thunderbird is still a beloved child of Mozilla, it's been told it's time
> to move out of its parents house and find its own sources of income/support:
>
> https://groups.google.com/d/msg/mozilla.governance/kAyVlhfEcXg/Eqyx1X62BQAJ
> https://blog.mozilla.org/thunderbird/2015/12/thunderbird-active-daily-inquiries-surpass-10-million/
>
> --
> -Alan Coopersmith- alan.coopersmith@oracle.com
> Oracle Solaris Engineering - http://blogs.oracle.com/alanc
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body \
style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" \
class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 25, 2016, at \
10:34 AM, Alan Coopersmith <<a href="mailto:alan.coopersmith@oracle.com" \
class="">alan.coopersmith@oracle.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><div class="">On 06/24/16 06:54 AM, Brandon \
Perry wrote:<br class=""><blockquote type="cite" class="">I am posting this to Full \
Disclosure/OSS instead of reporting it because I have<br class="">opened a handful of libical \
bugs in the Mozilla bug tracker, alerted<br class=""><a href="mailto:security@mozilla.org" \
class="">security@mozilla.org</a> <<a href="mailto:security@mozilla.org" \
class="">mailto:security@mozilla.org</a>>, and worked to show how and<br class="">where to \
reproduce the bugs in Thunderbird, but Mozilla hasn't shown any care at<br class="">all about \
the bugs. Perhaps if I give a sample to the community of the bugs in<br class="">the bug \
reports, Mozilla will take the bug reports more seriously. This bug<br class="">attached had \
not been reported yet.<br class=""></blockquote><br class="">Did you report them to libcial \
upstream? <a href="http://libical.github.io/libical/" \
class="">http://libical.github.io/libical/</a><br class=""></div></div></blockquote><div><br \
class=""></div><div>I had initially asked for contact information regarding reporting \
potentially sensitive security test cases, but after a couple of days, I decided to look into \
another product that I figured would have more visibility and more power to get things \
fixed.</div><div><br class=""></div><div><a \
href="https://github.com/libical/libical/issues/235" \
class="">https://github.com/libical/libical/issues/235</a></div><br class=""><blockquote \
type="cite" class=""><div class=""><div class=""><br class=""><blockquote type="cite" \
class="">My roommate mentioned Thunderbird being a second-class citizen in the Mozilla<br \
class="">world, so if this is the case, this should be made explicit in regards to bug<br \
class="">bounty expectations.<br class=""></blockquote><br class="">While Thunderbird is still \
a beloved child of Mozilla, it's been told it's time<br class="">to move out of its parents \
house and find its own sources of income/support:<br class=""><br class=""><a \
href="https://groups.google.com/d/msg/mozilla.governance/kAyVlhfEcXg/Eqyx1X62BQAJ" \
class="">https://groups.google.com/d/msg/mozilla.governance/kAyVlhfEcXg/Eqyx1X62BQAJ</a><br \
class="">https://blog.mozilla.org/thunderbird/2015/12/thunderbird-active-daily-inquiries-surpass-10-million/<br \
class=""><br class="">-- <br class=""><span class="Apple-tab-span" \
style="white-space:pre"> </span>-Alan Coopersmith- \
alan.coopersmith@oracle.com<br \
class=""><span class="Apple-tab-span" style="white-space:pre"> </span> Oracle Solaris \
Engineering - http://blogs.oracle.com/alanc<br class=""></div></div></blockquote></div><br \
class=""></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIcBAEBCgAGBQJXbqYhAAoJEKJq8VjVbt2pRwoQAJtucDiOKUlyIVXc93RpU69u
/eOo+f+Y7du8V7DnyYRkL8K64bKg6Uf+HF6kjwxr3ZhyzID1GURanao6vLSL2yyS
/LN5xJGJdboZ0O+/Zvk4o9QBjHAP6G+vH5h808iF8Z/Pr5/3pLWzVH6eNKhtOvjt
CZEK+hVTaXb06qAzm9y9+MUAecj4/xPHi63mnUCvYZubvNTSgoYah1w8gYccDdzK
ZlGD1Us7vSN8t0C/P6+fqcQUf4dg1+956rLGR+SxFNOvQ/+YeuHQbr09FNSZ9tj+
J3MeTcjL9t7PpQ3JlYuZUGMYNJoTtT9LzQWKtC1WgIkHxnVi66DDgiRF9Y/r83nj
l8Ubq2qJ5Ax8O7nnRc/P6JO5AU0JsJc1vbq/3qaRn5AJzF0BRbQgKty66rlqd8ME
Fjap3j2I/SzZtA7Yfu552yQwV/oxyS5T+PIN/HZc/f9ycYSb9QvYCfdM9RFKAMSs
P9V2DYOOQoANFgXDdSU79jUwZm1voSToV/e+wavojiuy2r0vn6jPSuqXvHeHRKQZ
xuNeZjaQRUd7SckzhSaSfQ/keDsw5O2dJvSYEZQYoGD1iApAC7zLCMV/FJVXSi39
hQ66y6RwHXpEAfmebApuONCxPfz2ZWeK8NvlH59EjDEztMjB+zIJaucrlXbkVtnr
v6GYIFX0EAckeveE5M9Y
=ht4z
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic