Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: FIREFOX flaws: nested array sort() loop Stack overflow exception
From: Heikki Toivonen <heikki () osafoundation org>
Date: Thu, 25 Nov 2004 13:17:06 -0800

Berend-Jan Wever wrote:
I'd have loved to CC mozilla about this, but I didn't have the time to do the crash course "how to write a bug report" 
and go through all that bugzilla crap.

Well, Mozilla does have a well know security email alias for those who don't have the time to do a crash course on Bugzilla - see http://www.mozilla.org/projects/security/security-bugs-policy.html (but if you don't have time visit that link, I'll save you the trouble and say it starts with security () mo )

Bugzilla really isn't that difficult either. Below are detailed instructions if anyone cares. Steps 4-6 you can ignore if you already have a Bugzilla account. Step 9 gives detailed info on what to fill in the actual bug reporting form. There are only two critically important pieces on that form: the details text box, and the security checkbox. However, carefully filling in as much information as you can will make it likelier the bug gets fixed faster.

1. Type bugzilla.mozilla.org in your browsers location bar and go there
2. Click the link: "Report A Bug"
3. Either login if you already have an account, or click "create new account". Let's assume we need to create a new account...
4. Type in a valid email address and click "Create Account"
5. [mail] Read email that was sent to the address to get password
6. back on in the browser, click "log in here"
7. fill in your username and password and click "login"
8. Select product link, for example "Firefox"
9. there's a form to fill in, let's go this part over in detail since I think this is the scariest part: 9.1 There is a search box, but if you are reporting a security bug in the latest product, chances are there are no dupes so just jump on over 9.2 Select a component that you think most closely describes where the problem occurs - if you can't figure out, just choose something, for example "General" 9.3 Hardware, operating system and build identifier are already filled in correctly for you if you are reporting the bug in the same product where you found it - if you can't figure these out, don't worry - just describe the stuff later on 9.4 If you know a URL where this happens (for example a testcase), fill that in
9.5 Give a brief summary
9.6 The details are next - basically what you'd put in a vulnerability report email or post goes here 9.7 Next it's going to ask even in more details, just to make sure the developers get all the info - if you already filled these parts in the details section, you can ignore them. The fields are: reproducibility, steps to reproduce, actual results, expected results, additional information 9.8 IMPORTANT: Check that security box! This way your bug will get the speediest attention, and it will also restrict people access to the bug until it is opened (either by you or someone else)
9.9 lastly severity
10. Submit bug report, and you are done!

Then, whenever someone changes the bug, you will get an email of the changes with a link to the bug. People may ask you more questions etc. Commenting on the bug later on is trivial - just go the URL (Bugzilla may ask you to login again), type in your comments in the "Additional Comments" textbox and hit the "Commit" button. There are a lot of other fields, but typically the developers and more experienced Bugzilla users will take care of changing those. At this point the bug basically resembles a normal web forum from user's point of view.

And if you really have the time, I recommend you go read the docs that are linked under the "When reporting a bug" section on https://bugzilla.mozilla.org/

  Heikki Toivonen

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]