Hacker News new | ask | show | jobs
by michaelt 841 days ago
> Typically, security researchers are held to higher standards when disclosing vulnerabilities. The expectation is that CVEs are assigned for ‘meaningful’ security vulnerabilities, and not for any software fixes that ‘might’ be a security vulnerability.

Maybe that's the aspiration, but it's clearly not the case in practice.

I reported a firefox bug 12 years ago where a malicious SVG could cause a hang - basically a 22-year-old XML bomb, adapted to SVG patterns. My bug turned out to be a duplicate of a 16 year old firefox bug.

No way of stealing user data. No sandbox escape. Not a crash that might indicate a buffer overrun. With a process per tab, it doesn't even crash the browser. It's just a file that takes a very long time to load - and it's not even an image type that user-generated-content sites like facebook and reddit allow you to upload. Reasonably enough, 12 years ago it was triaged as a minor performance issue.

Apparently in 2023, this counts as a CVE.
2 comments
gertop 841 days ago
12 years ago, Firefox wasn't multi process. So your bug would likely freeze the entire browser, including the UI. Considering that, back then, Firefox reloaded all tabs back when you reopened it, it would keep freezing even if you force closed it. Fun times.
link
rincebrain 841 days ago
I actually kept such an SVG bomb around as a demonstration of how badly you could break browsers for many years, to anyone who claimed they were completely secure and unbreakable.

I should go see what happens if I load it now, since what changed was less that it stopped breaking them and more that I stopped having the conversation with many people...

link
toast0 841 days ago
> Considering that, back then, Firefox reloaded all tabs back when you reopened it, it would keep freezing even if you force closed it.

That was always an option, as I recall. I think a non-default option, too. Not sure when they started adding the question about if you wanted to restore when you started up after a crash/unsafe shutdown.

link
Arch-TK 841 days ago
CVSS 3.1 score is 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L). (You can somewhat argue UI:N but I don't think it applies in this case.)

Lots of corps would spend a non-trivial amount of effort to remediate something with such a score.

link