Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Security Bug In Mozilla - The Human Perspective

Posted by timothy on from the danger-of-success dept.

xslf writes "Alex Vincent, the reporter of the data-loss security bug 259708, writes about the behind the scene process of reporting it, casting light on the problems of dealing with security related bugs reported by the community, which isn't always aware of the security implications of the bugs reported. The issues with the FLOSS process shown in this bug might get worse, once more and more people use FLOSS and add to the process, without being full fledged coders, and rely on binary releases of software." (Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)

19 of 321 comments (clear)

  1. Don't link to bugzilla!!! by AKAImBatman · · Score: 5, Informative

    What are you trying to do? Shut down the Mozilla project?!? If you absolutely NEED to see the bug, go to MirrorDot and look it up there.

    --
    Javascript + Nintendo DSi = DSiCade
    1. Re:Don't link to bugzilla!!! by Anonymous Coward · · Score: 5, Informative

      What's the difference? They block referrers from Slashdot anyway.

    2. Re:Don't link to bugzilla!!! by dotlively · · Score: 4, Informative

      Blocking access to a page based on the Referrer header doesn't affect user-agents that do not send a Referrer header, such as Opera with the "Enable Referrer Logging" option turned off. I didn't have any trouble with the link in the summary.

  2. 3.5-year-old information disclosure and DoS by Jeffrey+Baker · · Score: 5, Informative
    Speaking of existing security bugs in Firefox & Mozilla, here's a security bug that's been open for 3.5 years and really needs some hero to come in and fix it. (The bug is assigned to me but I'm not qualified and don't have the time to come up with a real solution).

    Bug 69070

    The bug was on bugtraq in 2001! It allows remote pages to open and use files on the local machine, and is also a denial of service on Linux, since Mozilla stupidly allows the opening of paths which are not regular files (/dev/tty).

    My experience with 69070 has been educational. I've learned if there's a security bug you care about, you had better fix it yourself. Unfortunately I can't but maybe someone in the audience has the spare time to step up.

    1. Re:3.5-year-old information disclosure and DoS by Anonymous Coward · · Score: 5, Informative

      "It allows remote pages to open and use files on the local machine"

      You make it sound like it allows remote servers to open and use files from the local machine. In fact what it allows is remote server to cause the local machine to open files locally, which is a different thing altogether.

      It still should be fixed, but it's only a DoS, not a remote-execute or a remote-data-access.

    2. Re:3.5-year-old information disclosure and DoS by sydb · · Score: 4, Informative
      It's a DoS on Linux, probably *n*x. A page has a
      <img src="file:///dev/tty">
      tag in it and it swallows your console, i.e. your keyboard stops working.

      Trust me, I just tried it and if I didn't have gtop (to kill Firefox with my mouse - exiting from the file menu didn't kill the process) I'd have had to hit the power switch.

      Ouch.
      --
      Yours Sincerely, Michael.
    3. Re:3.5-year-old information disclosure and DoS by BZ · · Score: 2, Informative

      > We haven't really noticed the effects because all
      > the attention has been shifted to Firefox

      All the media and pr attention has shifted to firefox. The core developers are working on the core as they have been; just check out the list of layout checkins on the trunk in the 6 months since firefox branched.

  3. Mirrored by Adam9 · · Score: 3, Informative

    If you don't want to copy & paste...

    Here is a rough mirror. (links are relative, so they won't work)

  4. Re:Where's the stable version?? by sweede · · Score: 2, Informative

    yes, but the but affected versions from 0.8 on also.

    the download link on the website now though, links to a fixed firefox

    --
    I follow the SDK and GDN principles.. Spelling Dont Kount, Grammer Dont Neither
  5. Re:What is FLOSS ? by caseih · · Score: 2, Informative

    Yes. See http://en.wikipedia.org/wiki/FLOSS.

  6. Not exactly redundant. by WebCowboy · · Score: 2, Informative

    The "Libre" is there to "thoroughly describe the movement in one acronym". This is becasue of the dual meaning of the word "free" in the English language. The French have two words that translate to "free": Libre and Gratis. The later refers to cost rather than freedom and "free-gratis" software such as Acrobat Reader, Yahoo Messenger or Bonzi Buddy have nothing to do with the movement.

    I agree that the acronym is unfortunately rather stupid. "Remember kids to use FLOSS daily"...whatever...

  7. Re:My experience reporting bugs.. by d_jedi · · Score: 5, Informative

    Wow.. one post, so much criticism. I honestly haven't experienced that on /.

    Guess it's not a good idea to criticize Mozilla developers ;p

    OK.. allow me to respond to all of the replies in one post.

    1) Bug reports = good. Insulting bug reporters = bad.

    As a developer, I'll tell you that having your customers report bugs to you is a GOOD THING. Something that you want to ENCOURAGE. There is no amount of alpha or beta testing that can substitute for real world use. However, I've been encouraged by this experience to very much just "shut up and take it or leave it" (paraphrasing from one of the more colourful indignant replies I alluded to). I'm not going to report more bugs if this is the response I'm going to get to them. Which is a BAD THING for the Mozilla project.

    2) Encouraging and reminding developers = good.

    Developers are human beings. They can forget, get distracted, etc. And like all people, sometimes it's a good thing to remind them of outstanding issues. Perhaps they forgot about it? Perhaps they've completed the task, but haven't checked it in? Perhaps the guy responsible for the bug has too much work on his plate, but is reluctant to say so without being prodded.

    Certainly, a post every few days asking if the bug's been fixed is just about as annoying as "are we there yet?" queries on car trips with children. But that was not the case here.

    3) There ARE paid developers working on Mozilla

    Most of them work for Netscape. I wouldn't doubt if there were contract workers as well. Personally, as an independant developer, I don't have the time or resources to program if I'm not being compensated for it. The question was asked why I don't fix it myself, and I gave a truthful answer. As a result (as here on /. ) I was flamed.

    I hope this clears up any confusion.

    --
    I am the maverick of Slashdot
  8. Re:Unconfirmed bugs by mcsmurf · · Score: 2, Informative

    No :), but people who are more experienced/skilled get more rights in Bugzilla. With those extended rights you can fill a bug as NEW (which doesn't necessarily mean your bug gets more attention).

  9. He got the bounty ... by Paul+Bolle · · Score: 2, Informative

    He seems to have gotten a bounty from the Mozilla Foundation for this.

  10. Re:Give us CHROOT! by pe1chl · · Score: 4, Informative

    > Running Mozilla or Firefox in a chroot environment would greatly enhance security

    Of course it would not have helped in this case.

  11. Re:Give us CHROOT! by otis+wildflower · · Score: 2, Informative
    a few starting bits from a gentoo box (in bash):
    mkdir ffchroot && cd ffchroot;
    ldd /usr/lib/MozillaFirefox/firefox-bin|while read libname separator libfile hex; do echo $libfile|sed "s#$libname##g"; done|sort|uniq|grep "/"|while read x; do mkdir -p ./$x; done
    ldd /usr/lib/MozillaFirefox/firefox-bin|while read libname separator libfile hex; do echo $libfile; cp $libfile ./$libfile; done;
    cp -a /usr/lib/MozillaFirefox usr/lib
    mkdir -p etc usr/bin home/$USER
    cp /usr/bin/firefox usr/bin
    cp /etc/passwd etc
    Unfortunately IIRC you have to be user root to chroot, and theres lots of other dependencies on mozilla.. like /dev/null, xdpyinfo, awk, etc. But if you keep plugging away it should work.
  12. Re:What is FLOSS ? by Glenn+R-P · · Score: 2, Informative

    the F or the L is entirely redundant
    It's trying to deal with the notion that "free" and "libre"
    are different things, hard to express in English. "Free" as
    in free beer that you don't have to pay for; "Libre" as in you
    can have the recipe for the beer, make your own, improve the
    recipe, and distribute the improved recipe.

  13. Re:My experience reporting bugs.. by MobyTurbo · · Score: 2, Informative
    3) There ARE paid developers working on Mozilla

    Most of them work for Netscape.

    Not anymore. Netscape spun off Mozilla (mysteriously after AOL, the parent company, recieved money from Microsoft to continue to use IE in the AOL browser) to the Mozilla Foundation. Most of the developers from Netscape who worked on Mozilla were laid off and some of them went on to work at the Mozilla Foundation.

    Somehow, however, the quality of the product hasn't suffered; lots of work continues on Firefox. In the past, before open source, such a thing would be a death nell to a software project.

  14. Re:What is FLOSS ? by caseih · · Score: 2, Informative

    Haha. That's funny. The real link should be http://en.wikipedia.org/wiki/FOSS. If you search for FLOSS, you get redirected to FOSS, which is essentially the same thing, except that some people like to use "Libre" to help indentify the concept of "free as in speech."

    Way to go moderators!