Re: mangleme and Amaya

Hi Yuhong,

> I just tried mangleme on Amaya, and the attached HTML cause Amaya 11.3.1 to crash with this:
> *** buffer overflow detected ***: /usr/lib/Amaya/wx/bin/amaya_bin terminated

I can't speak for the Amaya team but, generally, this kind of
(security-related) issues should be reported wisely: you just opened
the possibility for a zero-day attack [1] affecting Amaya users! :-(

I just checked the W3C bug tracker [2] and, unfortunately, the
Bugzilla version being used doesn't allow reporting issues privately
(Mozilla's official install already has an option [3] for this). One
should probably report privately to the team members [4] and,
optionally, request public credit once a fix to the issue is widely
made available. (Note that, naturally, I'm not making this up, these
are procedures already used in several OSS projects.)

> Yuhong Bao

† Helder

Helder M. A. Magalh„es

[3] "[checkbox] Many users could be harmed by this security problem:
it should be kept hidden from the public until it is resolved."

Received on Sunday, 9 January 2011 11:11:41 UTC