Re: mangleme and Amaya

Hi Yuhong,


> I just tried mangleme on Amaya, and the attached HTML cause Amaya 11.3.1 to crash with this:
> *** buffer overflow detected ***: /usr/lib/Amaya/wx/bin/amaya_bin terminated

I can't speak for the Amaya team but, generally, this kind of
(security-related) issues should be reported wisely: you just opened
the possibility for a zero-day attack [1] affecting Amaya users! :-(

I just checked the W3C bug tracker [2] and, unfortunately, the
Bugzilla version being used doesn't allow reporting issues privately
(Mozilla's official install already has an option [3] for this). One
should probably report privately to the team members [4] and,
optionally, request public credit once a fix to the issue is widely
made available. (Note that, naturally, I'm not making this up, these
are procedures already used in several OSS projects.)


> Yuhong Bao

Cheers,
  Helder


--
Helder M. A. Magalhães
http://heldermagalhaes.com/


[1] http://en.wikipedia.org/wiki/Zero-day_attack
[2] http://www.w3.org/Bugs/Public/buglist.cgi?product=Amaya
[3] "[checkbox] Many users could be harmed by this security problem:
it should be kept hidden from the public until it is resolved."
[4] http://www.w3.org/Amaya/Actors.html

Received on Sunday, 9 January 2011 11:11:41 UTC