Closed
Bug 229374
Opened 21 years ago
Closed 21 years ago
more to do for bug #157644...
Categories
(MailNews Core :: Networking: POP, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
mozilla1.7final
People
(Reporter: sspitzer, Assigned: Bienvenu)
References
Details
(Keywords: fixed1.4.3, fixed1.7, Whiteboard: fixed-aviary1.0, [sg:fix])
Attachments
(1 file)
1.10 KB,
patch
|
sspitzer
:
review+
mscott
:
superreview+
caillon
:
approval1.4.3+
sspitzer
:
approval1.7+
|
Details | Diff | Splinter Review |
more to do for bug #157644... dan got email from zen-parse@gmx.net, pointing out that the fix for #157644 plugged one security hole, but not them all. from the reporter: the correct fix is to limit the number of messages to (MAXINT(sizeof(Pop3MsgInfo)) if an evil server sends a larger number of messages, we'll only allocate space for 50k. but if part way through the list, if the server introduces a message that is < than the max but > 50k, we'll allocate more space. SendUidl() doesn't bounds check on the 50k message limit. the patch in bug #157644 assumes that message numbers are sequential. I've got the complete email from zen-parse.
Reporter | ||
Comment 1•21 years ago
|
||
giving zen-parse (neuro@es.co.nz) access to this new bug.
As far as I can tell, this is our only open bug which would allow a remote server to take control of a Mozilla session. 'twould be nice if we could fix it :-)
Assignee | ||
Comment 4•21 years ago
|
||
Assignee | ||
Comment 5•21 years ago
|
||
Comment on attachment 148899 [details] [diff] [review] proposed fix this was the fix I proposed all along...
Attachment #148899 -
Flags: superreview?(mscott)
Attachment #148899 -
Flags: review?(sspitzer)
Updated•21 years ago
|
Attachment #148899 -
Flags: superreview?(mscott) → superreview+
Reporter | ||
Comment 6•21 years ago
|
||
Comment on attachment 148899 [details] [diff] [review] proposed fix r/a=sspitzer I'm not sure why we just didn't do what david suggested. david, should we back out http://bugzilla.mozilla.org/show_bug.cgi?id=157644
Attachment #148899 -
Flags: review?(sspitzer)
Attachment #148899 -
Flags: review+
Attachment #148899 -
Flags: approval1.7+
Assignee | ||
Comment 7•21 years ago
|
||
yes, we should back it out, just to remove the unneeded code and simplify it.
Comment 9•21 years ago
|
||
I think your patch is short a parentheses :)
Updated•21 years ago
|
Whiteboard: [sg:fix] → fixed-aviary1.0, [sg:fix]
Comment 12•21 years ago
|
||
cleaning up 1.7 bug lists -- is this bug ready to be marked fixed?
Reporter | ||
Comment 13•21 years ago
|
||
over to david who has the fix and is going to land on trunk (he already landed on the branch). I'll log a bug about backing out bug #157644. note, if we need to test this we can use servterm http://www.snapfiles.com/get/servterm.html to emulate an evil pop server.
Assignee: sspitzer → bienvenu
Assignee | ||
Comment 14•21 years ago
|
||
fixed on trunk.
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 15•21 years ago
|
||
backing out the fix for bug #157644 is covered by bug #245066
Target Milestone: --- → mozilla1.7final
Comment 16•21 years ago
|
||
Adding Jon Granrose to CC list to help round up QA resources for verification
Comment 17•21 years ago
|
||
adding karen to verify on the 1.7 branch
Comment 18•21 years ago
|
||
Comment on attachment 148899 [details] [diff] [review] proposed fix a=blizzard for 1.4.3
Attachment #148899 -
Flags: approval1.4.3+
Comment 20•20 years ago
|
||
Removing security-sensitive flag for bugs on the known-vulnerabilities list
Group: security
Comment 21•20 years ago
|
||
Since David mentioned that this bug need to be verified in the debugger, by tweaking some values at runtime... I had requested Seth to help for verifying this bug for 1.7....
Comment 22•20 years ago
|
||
Note: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0757 to this issue.
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•