NetSurf 1.2 security flaws (was: Hi)

John-Mark Bell jmb at netsurf-browser.org
Fri Jan 16 01:27:18 GMT 2009


On Fri, 16 Jan 2009, John-Mark Bell wrote:

> It would appear that the following solves the issue:
>
>  $ cd branches/1
>  $ svnmerge merge --revision 5100 netsurf
>
> (then resolve the conflicts). This also hauls in r4001 and r4049.

I should probably point out that while those changes prevent the DOS, 
they don't provide a total fix. To do that requires that we audit the 
layout code (and I guess anything related to it) to ensure that it 
handles under/overflow in calculation results.

This strikes me as something that would benefit from multiple pairs of 
eyes. Perhaps it would be sensible to arrange a time to conduct such an
audit?


J.



More information about the netsurf-dev mailing list