Slashdot Mirror


A Security Bug In Mozilla - The Human Perspective

xslf writes "Alex Vincent, the reporter of the data-loss security bug 259708, writes about the behind the scene process of reporting it, casting light on the problems of dealing with security related bugs reported by the community, which isn't always aware of the security implications of the bugs reported. The issues with the FLOSS process shown in this bug might get worse, once more and more people use FLOSS and add to the process, without being full fledged coders, and rely on binary releases of software." (Note, you'll have to copy and paste that link to view the bug report, or click through from the linked story.)

11 of 321 comments (clear)

  1. I work for a company that produces Mozilla Bugs. by Saeed+al-Sahaf · · Score: -1, Troll

    I work for a company that produces Mozilla Bugs. How much does it cost to advertise here?

    --
    "Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
  2. My experience reporting bugs.. by d_jedi · · Score: -1, Troll

    is not very positive. If you ever dare to ask if any progress has been made, or for an ETA on a fix, you're bound to get a "well why don't you fix it yourself" indignant reply.

    (Of course, then it's MY turn for an indignant reply..)

    I would be more than willing to contribute code under contract for this project. Unfortunately, my services do not come free.

    (Now.. more indignant replies of various types..
    which I won't go into)

    --
    I am the maverick of Slashdot
  3. Re:The fallacies of Open Source design. by Anonymous Coward · · Score: -1, Troll

    Only if they want a troll mascot from the FAKELSTEIN troll!

  4. Re:WILDCAT IS ON TEH SPOKE by Anonymous Coward · · Score: -1, Troll

    Here's the bug report. Thanks to Google.

  5. Re:3.5-year-old information disclosure and DoS by The+Bungi · · Score: 0, Troll
    Yeah but that would have gotten me modded down as "troll" even faster. Zod forbid someone actually points out things like these.

    And that's why I love Splashdork.

  6. I was on IRC when all of this came down. by Anonymous Coward · · Score: -1, Troll



    I was hanging out in #DevFirefox when the sh*t started to hit the fan. It became clear pretty fast that this was going to be important, so I fired up my compiler just like everyone else.

    Well, this was code I wasn't familiar with, so I started crying for help. I did everything I could to get eyeballs on the bug, and on the source code. Every chance I got, I asked people on #developers and #firefox to look at the bug and see if they could figure out what was going on. Everyone seemed to agree that it was a bad bug, but very few people really started looking into it. I started wondering why exactly one file survived in the doomed directory, and I had a nasty thought: the file had come from a CD-ROM, and other files I'd dumped from the CD-ROM had had a read-only attribute set on them. I retested the bug without the file having that read-only attribute, and the whole directory disappeared. It was a little worse than I'd originally thought, and I resummarized to note this.

    I took a step back, and noticed that the filename which Firefox was giving the data: pseudo-file was actually the directory name. That was highly unusual, and I began to suspect the problems lay a little bit earlier in the code execution... like, in the code that actually opened up the Download Manager.

    I started digging around in there, but got nowhere. I just couldn't track it down with my eyes, so I tried to find people who knew the code. I blamed nsExternalAppHelperService and nsDownloadManager, and Christian Biesinger answered asking for details (I unfortunately was unable to provide them). In a concerned moment where I wasn't seeing any progress at all, I filed a weblog entry calling attention to the bug, and for a short time that worked: Darin Fisher responded by pointing out a patch which had landed on the Mozilla trunk, as a safety measure. He suggested the patch itself might fix the bug.

  7. Re:WILDCAT IS ON TEH SPOKE by Anonymous Coward · · Score: -1, Troll

    How is this a troll? Bugzilla can't be accessed directly from Slashdot, so why not use the Google cache?

    Does it have to do with the fact that Google is not gay enough for ./? I don't think this is the case. Google is the top-employer for homo-, meta- and paedo-sexuals, even more so now they sold their IPO to AOL Time Warner.

  8. Who cares? by SpamJunkie · · Score: 0, Troll

    Give me the robot perspective!

  9. FRIST PSOT!! by Anonymous Coward · · Score: -1, Troll

    Well-known argued by Eric the project as a bben the best, Mr. Raymond's reciprocating bad wheRe it was when won't vote in a dead man walking. something done

  10. Re:3.5-year-old information disclosure and DoS by geomon · · Score: -1, Troll

    That most applications break under such a scenario is Microsoft's fault to a certain extent, but not entirely so. Software vendors are just too lazy to code that way and they assume that they have the go of the entire machine.

    Now you know why I don't use Microsoft products. They NEVER take responsibility for their mistakes. They have ALWAYS claimed that the problems with their OSs and Office products are the result of third parties.

    I would like to point another type of hypocrisy however...

    That seems to be your job, doesn't it? Why do you READ slashdot if you find it so overwhelmingly anti-Microsoft?

    Is it our fault that you can't find a home where everyone likes what you like and Microsoft is the savior for the world's software woes?

    The problem with your assesment of this problem ..

    We have no problems with our problems. YOU, however, have major issues.

    --
    "Rocky Rococo, at your cervix!"
  11. Re:3.5-year-old information disclosure and DoS by rmstar · · Score: 1, Troll

    This shitty subthread is nothing but astroturfing!

    This isn't even a denial of service bug. Hey, this can be only considered a bug if you are a fucking pedantic retard. All an "attacker" can do is find out wether some image file exists.

    And, all versions of IE and NN are ""vulnerable"" (add more quotes, please) too.