On 12/4/2016 11:33 AM, NoOp wrote: > On 12/4/2016 10:16 AM, Lee wrote: > <snip> >> >> nit: has anyone that _knows_ said that the Dec 1 version of SeaMonkey >> 2.47 has the patch for that exploit? > > I tested Adrian's 2.47's per bug report: > https://bugzilla.mozilla.org/show_bug.cgi?id=1321066 > (See comments: 84, 85, and 86 - which for some reason have been marked > as 'offtopic' by ryanvm) > Comment #55 in 1321066 states "You can consider the presence of > MOZ_RELEASE_ASSERT(!mHoldingEntries) in crash reports as confirmation > that the patch has effectively neutralized the problem." > > Adrian's builds that I tested with the test case in comment 25 crashed > with 'MOZ_RELEASE_ASSERT(!mHoldingEntries)': > > SM 2.47 linux 64: > User agent: Mozilla/5.0 (X11; Linux x86_64; rv:50.0) Gecko/20100101 > SeaMonkey/2.47 > Build identifier: 20161201022155 > MOZ_CRASH Reason MOZ_RELEASE_ASSERT(!mHoldingEntries) > > SM 2.47 Windows 32: > User agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:50.0) Gecko/20100101 > SeaMonkey/2.47 > Build identifier: 2016120109390 > MOZ_CRASH Reason MOZ_RELEASE_ASSERT(!mHoldingEntries) > > SM 2.47 Windows 64 > User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) > Gecko/20100101 > SeaMonkey/2.47 > Build identifier: 20161201025712 > MOZ_CRASH Reason MOZ_RELEASE_ASSERT(!mHoldingEntries) > > So given the results and the comments in the bug report regarding > 'MOZ_RELEASE_ASSERT(!mHoldingEntries)' it appears to me that Adrian has > indeed patched those builds agains the exploit. (I'll forward this to > Adrian to see if he can confirm)
Follow-up from Adrian: <quote> I can't do that, as I haven't patched anything. I've just started my builds *after* Mozilla did land the SVG patches on mozilla-release, so I can only assume, that they are in. Only testing (like you did) can ensure, that the patches are really in. </quote> So I reckon that they are good given the crash results as long as the builds that you are using are 20161201 or newer. _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
