Also notice that if there is really a problem in FF javascript engine it
goes beyond the
browser. You could run Tamarin, Spidermonkey or Rhino on the server side and
perform some
processing there with javascript.
For heaven's sake please try to understand that it is not a problem at all.
Hello:
On 9/29/07, Andrew Farmer [EMAIL PROTECTED] wrote:
If your bank is doing financial calculations using Javascript in a
standard web browser, you have bigger things to worry about than
roundoff errors.
Ok let's explain this with more details because I realize that you got
something
If I use strcpy() to read user input into a buffer, I am at fault and
not C compiler.
I don't think that's a fair comparison.
If you make the right algorithm and you do not get the expected
results *is* not
your fault but what are you sitting at (compiler, framework, library ...).
On Mon, 01 Oct 2007 13:33:20 EDT, wac said:
If I use strcpy() to read user input into a buffer, I am at fault and
not C compiler.
I don't think that's a fair comparison.
If you make the right algorithm and you do not get the expected
results *is* not
your fault but what are you
Exactly! And the so called security experts who are giving long
lectures in the list about how any bug can result in a potential
security flaw, they are forgetting that if a security flaw arises it
arises because of the programmer and not Firefox.
If I use strcpy() to read user input into a
Correct! The line is always there is no patch for human stupidity
On 9/29/07, Jimby Sharp [EMAIL PROTECTED] wrote:
Exactly! And the so called security experts who are giving long
lectures in the list about how any bug can result in a potential
security flaw, they are forgetting that if a
Hello:
On 9/28/07, Jimby Sharp [EMAIL PROTECTED] wrote:
How is this serious and is it related to security in any manner? If
not, please do not spam. :-(
Many bugs are security related (I would say all). How it is security
related? Think. What happens if your bank calculates something wrong
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Not so much it required such a long thread.
On Fri, 28 Sep 2007 15:29:18 -0400 Rodrigo Barbosa
[EMAIL PROTECTED] wrote:
On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote:
On Sat, 29 Sep 2007, Jimby Sharp wrote:
I don't get the same
carl hardwick wrote:
There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
subtractions.
PoC concept here:
javascript:5.2-0.1
(copy this code into address bar)
Firefox 2.0.0.7 result: 5.1005 (WRONG!)
Internet Explorer 7 result: 5.1 (OK)
Please read
Compile and run this.
#include stdio.h
int main(int argc, char **argv) {
float a = 0.7;
if(a == 0.7) {
printf(%f is equal to %f\n, a, 0.7);
} else {
printf(%f is not equal to %f\n, a, 0.7);
}
}
On many implementations (not necessarily all implementations) you will
get the output
Go and read floating point math.
On 9/29/07, wac [EMAIL PROTECTED] wrote:
Many bugs are security related (I would say all). How it is security
related? Think. What happens if your bank calculates something wrong and
puts the lower in your account and the higher in another account? Yes It
On 28 Sep 07, at 19:25, wac wrote:
On 9/28/07, Jimby Sharp [EMAIL PROTECTED] wrote:
How is this serious and is it related to security in any manner? If
not, please do not spam. :-(
Many bugs are security related (I would say all). How it is security
related? Think. What happens if your bank
So are we dealing with an RDCB (Recently Disclosed Calculation Bug) or was
this just a mistake?
Steven
Actually, I see 5.1005 in both browsers.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC
This is not only Firefox 2.0.0.7. I still have
2.0.0.5 and it still shows the
5.1005. Of course if you understand floating point and the level of accuracy needed, I don't see how this could be serious.
And I don't see a way this being exploited to give RCE.
Mukul Dharwadkar
Actually, I see 5.1005 in both browsers.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
..perhaps one day, this will be exploitable.
Consider the possibilities for this code:
If ((4.2-0.1) != 4.1) { exploit_client(); }
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
subtractions.
PoC concept here:
javascript:5.2-0.1
(copy this code into address bar)
Firefox 2.0.0.7 result: 5.1005 (WRONG!)
Internet Explorer 7 result: 5.1 (OK)
___
IE7 was fine for me, showed up in FF 2.0.0.7
However, I think it's much wider-spread than initially thought. I
found the same most unsettling results using:
javascript:4.2-0.1
javascript:3.2-0.1
javascript:2.2-0.1
I did not have time to try more, but obviously all of you can see the
On Fri, 28 Sep 2007, carl hardwick wrote:
javascript:5.2-0.1
Firefox 2.0.0.7 result: 5.1005 (WRONG!)
This is a proper behavior of IEEE 754 64-bit double float, which, IIRC, is
precisely what ECMA standard mandates.
You will get the same from any C-style 'double' arithmetics.
Firefox 2.0.0.7 result: 5.1005 (WRONG!) Internet Explorer
7 result: 5.1 (OK)
Maybe they're using Excel 2007 for their math.
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blogs.eweek.com/cheap_hack/
Contributing Editor, PC Magazine
[EMAIL PROTECTED]
How is this serious and is it related to security in any manner? If
not, please do not spam. :-(
And go and learn some floating point maths.
On 9/28/07, carl hardwick [EMAIL PROTECTED] wrote:
There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
subtractions.
PoC concept here:
How is this serious and is it related to security in any manner? If
not, please do not spam. :-(
And go and learn some floating point maths.
On 9/28/07, carl hardwick [EMAIL PROTECTED] wrote:
There's a flaw in Firefox 2.0.0.7 allows javascript to execute wrong
subtractions.
PoC concept here:
Dear Jimby,
Please read the list charter.
What if this issue has security implications that we are unaware
of? It is important to saturate this list with any and all reports
of software misbehavior (or perceived misbehavior) so that Vladis
and the other aged mailing list participants can
Let's take this C code.
#include stdio.h
int main(int argc, char **argv) {
float a = 0.7;
if(a == 0.7) {
printf(%f is equal to %f\n, a, 0.7);
} else {
printf(%f is not equal to %f\n, a, 0.7);
}
}
On many implementations (not necessarily all implementations) we will
get the
carl hardwick wrote:
PoC concept here:
javascript:5.2-0.1
(copy this code into address bar)
Firefox 2.0.0.7 result: 5.1005 (WRONG!)
Internet Explorer 7 result: 5.1 (OK)
In IE7 and Opera I get the same thing you do for Firefox. This is not
surprising because the ECMAScript
On 9/28/07, Susam Pal [EMAIL PROTECTED] wrote:
Let's take this C code.
#include stdio.h
int main(int argc, char **argv) {
float a = 0.7;
if(a == 0.7) {
printf(%f is equal to %f\n, a, 0.7);
} else {
printf(%f is not equal to %f\n, a, 0.7);
}
}
On many implementations
Yes. If one operand of a binary operator is of double type and the other
is of float type, then it is converted to double before the operator
operates. In this case when float type 0.7 is converted to double type,
the converted value is not exactly equal to double type 0.7. It can
never be on
Michal
I don't get the same from C-style double arithmetics. Could you
provide a sample code that you believe should show the same behavior?
On 9/28/07, Michal Zalewski [EMAIL PROTECTED] wrote:
On Fri, 28 Sep 2007, carl hardwick wrote:
javascript:5.2-0.1
Firefox 2.0.0.7 result:
On Sat, 29 Sep 2007, Jimby Sharp wrote:
I don't get the same from C-style double arithmetics. Could you provide
a sample code that you believe should show the same behavior?
If you don't, it's presumably because the subtraction is optimized out by
the compiler, or because you printf() with an
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote:
On Sat, 29 Sep 2007, Jimby Sharp wrote:
I don't get the same from C-style double arithmetics. Could you provide
a sample code that you believe should show the same behavior?
If
Thanks.
On 9/29/07, Michal Zalewski [EMAIL PROTECTED] wrote:
On Sat, 29 Sep 2007, Jimby Sharp wrote:
I don't get the same from C-style double arithmetics. Could you provide
a sample code that you believe should show the same behavior?
If you don't, it's presumably because the subtraction
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Fri, Sep 28, 2007 at 09:09:02PM +0200, Michal Zalewski wrote:
On Sat, 29 Sep 2007, Jimby Sharp wrote:
I don't get the same from C-style double arithmetics. Could you provide
a sample code that you believe should show the same behavior?
If
32 matches
Mail list logo
