Re: [oss-security] libical 0.47 SEGV on unknown address

[Alan Coopersmith <alan.coopersmith () oracle com>]

On 06/24/16 06:54 AM, Brandon Perry wrote:
> I am posting this to Full Disclosure/OSS instead of reporting it because I have
> opened a handful of libical bugs in the Mozilla bug tracker, alerted
> security () mozilla org <mailto:security () mozilla org>, and worked to show how and
> where to reproduce the bugs in Thunderbird, but Mozilla hasn’t shown any care at
> all about the bugs. Perhaps if I give a sample to the community of the bugs in
> the bug reports, Mozilla will take the bug reports more seriously. This bug
> attached had not been reported yet.

Did you report them to libcial upstream?  http://libical.github.io/libical/

> My roommate mentioned Thunderbird being a second-class citizen in the Mozilla
> world, so if this is the case, this should be made explicit in regards to bug
> bounty expectations.

While Thunderbird is still a beloved child of Mozilla, it's been told it's time
to move out of its parents house and find its own sources of income/support:

https://groups.google.com/d/msg/mozilla.governance/kAyVlhfEcXg/Eqyx1X62BQAJ
https://blog.mozilla.org/thunderbird/2015/12/thunderbird-active-daily-inquiries-surpass-10-million/

--
        -Alan Coopersmith-              alan.coopersmith () oracle com
         Oracle Solaris Engineering - http://blogs.oracle.com/alanc

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/