Re: mangleme and Amaya

Hello,

We have fixed this problem in the cvs version. We are looking for some 
similar cases in the code.
We'll certainly release a new version soon.

Thanks for the report,
Laurent Carcone

Le 09/01/11 12:10, Helder Magalhães a écrit :
> Hi Yuhong,
>
>
>> I just tried mangleme on Amaya, and the attached HTML cause Amaya 11.3.1 to crash with this:
>> *** buffer overflow detected ***: /usr/lib/Amaya/wx/bin/amaya_bin terminated
> I can't speak for the Amaya team but, generally, this kind of
> (security-related) issues should be reported wisely: you just opened
> the possibility for a zero-day attack [1] affecting Amaya users! :-(
>
> I just checked the W3C bug tracker [2] and, unfortunately, the
> Bugzilla version being used doesn't allow reporting issues privately
> (Mozilla's official install already has an option [3] for this). One
> should probably report privately to the team members [4] and,
> optionally, request public credit once a fix to the issue is widely
> made available. (Note that, naturally, I'm not making this up, these
> are procedures already used in several OSS projects.)
>
>
>> Yuhong Bao
> Cheers,
>    Helder
>
>
> --
> Helder M. A. Magalhães
> http://heldermagalhaes.com/
>
>
> [1] http://en.wikipedia.org/wiki/Zero-day_attack
> [2] http://www.w3.org/Bugs/Public/buglist.cgi?product=Amaya
> [3] "[checkbox] Many users could be harmed by this security problem:
> it should be kept hidden from the public until it is resolved."
> [4] http://www.w3.org/Amaya/Actors.html
>
>

Received on Thursday, 13 January 2011 08:36:45 UTC