[25758] in bugtraq
RE: remote DoS in Mozilla 1.0
daemon@ATHENA.MIT.EDU (Keith Warno)
Thu Jun 13 14:41:18 2002
From: "Keith Warno" <keith.warno@valaran.com>
To: "'Tom'" <tom@lemuria.org>, <bugtraq@securityfocus.com>
Date: Thu, 13 Jun 2002 10:47:55 -0400
Message-ID: <001a01c212e9$4de68c70$6702a8c0@valaran.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: <20020610102006.A6947@lemuria.org>
| -----Original Message-----
| From: Tom [mailto:tom@lemuria.org]
| Sent: Monday, June 10, 2002 4:20 AM
| To: bugtraq@securityfocus.com
| Subject: remote DoS in Mozilla 1.0
|
[...]
|
| Vendor Contact
| ==============
[...]
| also filed with the XFree86 team, no reaction so far
|
|
There is chatter but the same type of question regarding "at what point [is]
a request for a font ... clearly invalid" is being asked.
---------- Forwarded message ----------
Date: Thu, 13 Jun 2002 09:46:56 +0100
From: Juliusz Chroboczek <jec@dcs.ed.ac.uk>
Reply-To: xpert@XFree86.Org
To: xpert@XFree86.Org
Subject: Re: [Xpert]abort() in libXfont 4.2.0 (was FW: remote DoS in
Mozilla 1.0)
From: Juliusz Chroboczek <jec@dcs.ed.ac.uk>
Subject: Re: [bugtraq] remote DoS in Mozilla 1.0
To: devel@xfree86.org
Date: 12 Jun 2002 08:51:49 +0100
MH> Interesting problem reported on bugtraq:
MH> <http://online.securityfocus.com/archive/1/276120>
I see. Two bugs here.
One is the dodgy error-handling in the Type 1 backend, which gives up
by calling abort() (see the very end of curves.c). I agree that this
is a bug; however, as I'm hoping to phase out the current Type 1
backend in favour of one based on FreeType 2 in time for 4.3.0, I do
not intend to fix it.
The other problem is that we do not fail a priori requests for very
large fonts. I do agree that this should be done, and I think it
should be done at the common layer (above the font backends); could
anyone suggest at what point a request for a font is clearly invalid?
Juliusz
_______________________________________________
Xpert mailing list
Xpert@XFree86.Org
http://XFree86.Org/mailman/listinfo/xpert
