Re: swfdec 0.6.8 stable update

[Marcus Meissner <meissner () suse de>]

On Tue, Aug 19, 2008 at 06:22:57PM +0200, Nico Golde wrote:
> Hi Marcus,
> * Marcus Meissner <meissner () suse de> [2008-08-19 16:48]:
> > Wonder if we should track updates for swfdec. The 0.6.8 announcement
> > looks like it at least fixes several Denial of Service problems:
> [...] 
> I have problems to understand why this would be a Denial of 
> Service. While I don't share the opinion about browser 
> crashes I think there are at least good arguments for both 
> sides.

If it can be triggered by a SWF on the website, I would perhaps
call it a security issue.

If it crashes the SWF mozilla plugin and so the browser, it is
a denial of service in my eyes.

More importantly if code execution is possible.


I have however not researched those further (just saw the changelog as
packager of swfdec), and currently swfdec itself is probably not yet
fully production ready anyway.

> But if swfdec crashes on playing a flash movie this 
> looks like an application bug. At least I wouldn't talk 
> about Denial of Service if vim would crash on opening a text 
> file.

Yeah.

> It would be interesting what is causing this crash and if 
> there is underlying a more serious issue.

Not really investigated and no time :/ Since swfdec is beta and not yet
wildy iin use we could let it rest.

Ciao, Marcus