Re: [Full-Disclosure] FIREFOX flaws: nested array sort() loop Stack overflow exception

From: Heikki Toivonen (heikki_at_osafoundation.org)
Date: 11/25/04

  • Next message: Marc Schoenefeld: "Rumours about Opera" 
    Date: Thu, 25 Nov 2004 13:17:06 -0800
To: full-disclosure@lists.netsys.com, vuln-dev@securityfocus.com, bugtraq@securityfocus.com

    Berend-Jan Wever wrote:
    > I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course "how to write a bug report" and go through all that bugzilla crap.

    Well, Mozilla does have a well know security email alias for those who
    don't have the time to do a crash course on Bugzilla - see
    http://www.mozilla.org/projects/security/security-bugs-policy.html (but
    if you don't have time visit that link, I'll save you the trouble and
    say it starts with security@mo...)

    Bugzilla really isn't that difficult either. Below are detailed
    instructions if anyone cares. Steps 4-6 you can ignore if you already
    have a Bugzilla account. Step 9 gives detailed info on what to fill in
    the actual bug reporting form. There are only two critically important
    pieces on that form: the details text box, and the security checkbox.
    However, carefully filling in as much information as you can will make
    it likelier the bug gets fixed faster.

    1. Type bugzilla.mozilla.org in your browsers location bar and go there
    2. Click the link: "Report A Bug"
    3. Either login if you already have an account, or click "create new
    account". Let's assume we need to create a new account...
    4. Type in a valid email address and click "Create Account"
    5. [mail] Read email that was sent to the address to get password
    6. back on in the browser, click "log in here"
    7. fill in your username and password and click "login"
    8. Select product link, for example "Firefox"
    9. there's a form to fill in, let's go this part over in detail since I
    think this is the scariest part:
    9.1 There is a search box, but if you are reporting a security bug in
    the latest product, chances are there are no dupes so just jump on over
    9.2 Select a component that you think most closely describes where the
    problem occurs - if you can't figure out, just choose something, for
    example "General"
    9.3 Hardware, operating system and build identifier are already filled
    in correctly for you if you are reporting the bug in the same product
    where you found it - if you can't figure these out, don't worry - just
    describe the stuff later on
    9.4 If you know a URL where this happens (for example a testcase), fill
    that in
    9.5 Give a brief summary
    9.6 The details are next - basically what you'd put in a vulnerability
    report email or post goes here
    9.7 Next it's going to ask even in more details, just to make sure the
    developers get all the info - if you already filled these parts in the
    details section, you can ignore them. The fields are: reproducibility,
    steps to reproduce, actual results, expected results, additional information
    9.8 IMPORTANT: Check that security box! This way your bug will get the
    speediest attention, and it will also restrict people access to the bug
    until it is opened (either by you or someone else)
    9.9 lastly severity
    10. Submit bug report, and you are done!

    Then, whenever someone changes the bug, you will get an email of the
    changes with a link to the bug. People may ask you more questions etc.
    Commenting on the bug later on is trivial - just go the URL (Bugzilla
    may ask you to login again), type in your comments in the "Additional
    Comments" textbox and hit the "Commit" button. There are a lot of other
    fields, but typically the developers and more experienced Bugzilla users
    will take care of changing those. At this point the bug basically
    resembles a normal web forum from user's point of view.

    And if you really have the time, I recommend you go read the docs that
    are linked under the "When reporting a bug" section on
    https://bugzilla.mozilla.org/ 

    -- 
   Heikki Toivonen

  • Next message: Marc Schoenefeld: "Rumours about Opera"
    • Quantcast