- From: Helder Magalhães <helder.magalhaes@gmail.com>
- Date: Sun, 9 Jan 2011 11:10:34 +0000
- To: Yuhong Bao <yuhongbao_386@hotmail.com>
- Cc: www-amaya@w3.org
Hi Yuhong, > I just tried mangleme on Amaya, and the attached HTML cause Amaya 11.3.1 to crash with this: > *** buffer overflow detected ***: /usr/lib/Amaya/wx/bin/amaya_bin terminated I can't speak for the Amaya team but, generally, this kind of (security-related) issues should be reported wisely: you just opened the possibility for a zero-day attack [1] affecting Amaya users! :-( I just checked the W3C bug tracker [2] and, unfortunately, the Bugzilla version being used doesn't allow reporting issues privately (Mozilla's official install already has an option [3] for this). One should probably report privately to the team members [4] and, optionally, request public credit once a fix to the issue is widely made available. (Note that, naturally, I'm not making this up, these are procedures already used in several OSS projects.) > Yuhong Bao Cheers, Helder -- Helder M. A. Magalhães http://heldermagalhaes.com/ [1] http://en.wikipedia.org/wiki/Zero-day_attack [2] http://www.w3.org/Bugs/Public/buglist.cgi?product=Amaya [3] "[checkbox] Many users could be harmed by this security problem: it should be kept hidden from the public until it is resolved." [4] http://www.w3.org/Amaya/Actors.html
Received on Sunday, 9 January 2011 11:11:41 UTC