|
Message-ID: <20081003175000.GA7567@ngolde.de>
Date: Fri, 3 Oct 2008 19:50:00 +0200
From: Nico Golde <nico@...lde.de>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: regarding CVE-2008-4382 & CVE-2008-4381
Hi,
I just had a look at CVE-2008-4382 which is the same issue
as CVE-2008-4381 but just for conqueror should not get its
own CVE id in my opinion.
We at Debian don't handle browser
issues like this as security issues anyway but in this case
looking at the PoC this would work in every browser
supporting JavaScript as this is just a trivial memory
consumption issue by passing a very large string too the
alert function and thus eating memory, a simple
while(true){} would be equally effective for eating cpu
cycles which I wouldn't consider as a vulnerability
either...
I verified this at least with firefox and opera.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.