[Secure-testing-team] [Secure-testing-commits] r14905 - data/CVE

[Michael Gilbert]

On Tue, 6 Jul 2010 00:38:42 +0200 Nico Golde wrote:
> > in this particular case (as with many chrome CVEs), the only reference
> > available is the proof-of-concept.  lacking any other source of
> > information, direct testing of the poc is really the only thing that
> > can be done.
> > 
> > also, in this particular case, testing the poc makes it very clear that
> > chrome is affected whereas webkit is not.  i tested other webkit-based
> > browsers and they take me to yahoo when clicking the malicious link (as
> > specified when hovered over), but chrome takes me to a non-yahoo link
> > (even though it says yahoo when hovered over).
> 
> This contradicts to what Guiseppe wrote in his mail stating that the PoC works 
> with *no* browser and this is a perfect example on why this description should 
> be more verbose.

based on retesting the issue today, i've found that the poc still works
against chromium; not sure what i can say about others not coming to
the same conclusions.  

> [...] 
> > if there is concrete evidence that this is insufficient, i am willing
> > to reconsider, but at this point, i'm not convinced.
> 
> I think my other mail in reply to Guiseppe already answers the rest. This mail 
> was not meant to enforce a description policy, but I'm sure we can do better.

verbosity is a laudable goal, and i will certainly make an effort to do
better from now on.  usually i do take a reasonable amount of time to
think about and enter a detailed description, but in this case and a few
others i didn't; since they were among about 60 webkit issues that i
triaged all at once.  anyway, i shouldn't be making excuses; i should
be doing a complete job.  however, if i am to be pressured to be more
verbose, then i think it should be no longer acceptable to use such
ambivalent statements as "minor issue" anymore either.

best wishes,
mike