Bug#318061: mozilla-firefox: There appears to be more information now

2005-07-13 Thread Silas S. Brown 
Package: mozilla-firefox
Version: 1.0.4-2
Followup-For: Bug #318061


It seems that a little more information has appeared on that
page now.  Code execution through shared function objects
sounds scary.

Why not simply backport 1.0.5?  I can't see any major
difference between 1.0.4 and 1.0.5 except for these security
problems.  The same goes for all future security updates
they put out (as long as they're only security updates).
Alternatively, is there a simple way of providing an option
to run Firefox in a sandbox, so it can't touch your home
directory and its settings are restored after each session?
(Not restored to factory defaults, but restored as you want
them.)  That would mitigate most of the risk, although there
might be some stack-smashing bug that allows trojan sites to
execute arbitrary machine code and potentially break out of
the sandbox by exploiting a 'suid' vulnerability.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.23
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) (ignored: LC_ALL set to 
en_GB)

Versions of packages mozilla-firefox depends on:
ii  debianutils2.8.4 Miscellaneous utilities specific t
ii  fontconfig 2.3.1-2   generic font configuration library
ii  libatk1.0-01.8.0-4   The ATK accessibility toolkit
ii  libc6  2.3.2.ds1-22  GNU C Library: Shared libraries an
ii  libfontconfig1 2.3.1-2   generic font configuration library
ii  libfreetype6   2.1.7-2.4 FreeType 2 font engine, shared lib
ii  libgcc11:3.4.3-13GCC support library
ii  libglib2.0-0   2.6.4-1   The GLib library of C routines
ii  libgtk2.0-02.6.4-3   The GTK+ graphical user interface 
ii  libidl00.8.5-1   library for parsing CORBA IDL file
ii  libjpeg62  6b-10 The Independent JPEG Group's JPEG 
ii  libkrb53   1.3.6-2   MIT Kerberos runtime libraries
ii  libpango1.0-0  1.8.1-1   Layout and rendering of internatio
ii  libpng12-0 1.2.8rel-1PNG library - runtime
ii  libstdc++5 1:3.3.5-13The GNU Standard C++ Library v3
ii  libx11-6   4.3.0.dfsg.1-14   X Window System protocol client li
ii  libxext6   4.3.0.dfsg.1-14   X Window System miscellaneous exte
ii  libxft22.1.7-1   FreeType-based font drawing librar
ii  libxp6 4.3.0.dfsg.1-14   X Window System printing extension
ii  libxt6 4.3.0.dfsg.1-14   X Toolkit Intrinsics
ii  psmisc 21.5-1Utilities that use the proc filesy
ii  xlibs  4.3.0.dfsg.1-14   X Keyboard Extension (XKB) configu
ii  zlib1g 1:1.2.2-4.sarge.1 compression library - runtime

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#318061: mozilla-firefox: There appears to be more information now

2005-07-13 Thread Vincent Lefevre 
On 2005-07-13 09:11:14 +0100, Silas S. Brown wrote:
 Why not simply backport 1.0.5? I can't see any major difference
 between 1.0.4 and 1.0.5 except for these security problems.

In addition to these security problems, an important performance
regression concerning form inputs seems to have been fixed in
Firefox 1.0.5. See

  https://bugzilla.mozilla.org/show_bug.cgi?id=291278

(I just hope that this fix is not just for Windows). So, a backport
would really be fine.

-- 
Vincent Lefèvre [EMAIL PROTECTED] - Web: http://www.vinc17.org/
100% accessible validated (X)HTML - Blog: http://www.vinc17.org/blog/
Work: CR INRIA - computer arithmetic / SPACES project at LORIA


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]