[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] RE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities

To: klieber@xxxxxxxxxx
Subject: [Full-Disclosure] RE: [ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities
From: Gervase Markham <gerv@xxxxxxxx>
Date: Tue, 24 Aug 2004 10:04:51 +0100

> Gentoo Linux Security Advisory                        GLSA 200408-22
>
>   Severity: Normal
>      Title: Mozilla, Firefox, Thunderbird: New releases fix
>             vulnerabilities
>       Date: August 23, 2004
>       Bugs: #57380, #59419
>         ID: 200408-22

<snip>

> * An attacker may force the browser to execute arbitrary code from a
>   malicious website by utilizing Mozilla's predictable cache file
>   locations, and its ability to execute local files within the local
>   zone.

As has been pointed out to the author of the relevant "advisory" several times, Mozilla has neither a "local zone" nor "predictable cache file locations". The author assumed that the random string generated for his cache file location was the same as everyone else's.

I wonder how Gentoo can have fixed, QAed and tested the fix for a vulnerability which doesn't exist?

(Note: none of the referenced CVE numbers in the advisory refer to this "issue".)

Gerv

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Using CHKROOTKIT
Next by Date: Re: [Full-Disclosure] Possible New Malware....
Previous by thread: [Full-Disclosure] a2ps executing shell commands from file name
Next by thread: RE: [Full-Disclosure] [PoC] Nasty bug(s) found in Axis Network Camera/Video Servers
Index(es):
- Date
- Thread