[Pkg-mozext-maintainers] Bug#559267: Sage Firefox extensions vulnerabilities

Alan Woodland awoodland at debian.org
Sun Dec 6 15:39:37 UTC 2009


Hi,

For my sins I'm the maintainer of the Debian package of Sage. I'm
looking at fixing the security bug that was recently reported [1].
Both of your names were mentioned in [2] as reporting the bug.

I'm looking to either prepare my own patch, in which a test case and
some advice would be extremely helpful, or ideally verify and apply an
existing patch. I've read through the two sets of slides at [3], but
there doesn't seem to be much detail on the actual exploit or a test
case. There are some references online to 'the author [of sage] being
made aware of patches', but nothing public that I can find.

Q: Is this a regression of the 2006 vulnerability [4]? Are there more
problems I should be aware of besides that?
Q: How would you suggest dealing with this?

Thanks,
Alan

P.S. If you want to discuss this privately I can send/receive PGP
encrypted mails to my @debian.org address using the key in the Debian
keyring.

[1] http://bugs.debian.org/559267
[2] http://www.securityfocus.com/bid/37120\
[3] http://malerisch.net/docs/security_docs.html
[4] http://www.gnucitizen.org/blog/cross-context-scripting-with-sage/





More information about the Pkg-mozext-maintainers mailing list