NetSurf 1.2 security flaws (was: Hi)
John-Mark Bell
jmb at netsurf-browser.org
Fri Jan 16 01:27:18 GMT 2009
On Fri, 16 Jan 2009, John-Mark Bell wrote:
> It would appear that the following solves the issue:
>
> $ cd branches/1
> $ svnmerge merge --revision 5100 netsurf
>
> (then resolve the conflicts). This also hauls in r4001 and r4049.
I should probably point out that while those changes prevent the DOS,
they don't provide a total fix. To do that requires that we audit the
layout code (and I guess anything related to it) to ensure that it
handles under/overflow in calculation results.
This strikes me as something that would benefit from multiple pairs of
eyes. Perhaps it would be sensible to arrange a time to conduct such an
audit?
J.
More information about the netsurf-dev
mailing list