27 June 2009 21:50
It seems the IMAP client crash I accidentally discovered in Thunderbird/Icedove was already known.
My report is a duplicate of a bug which was previously reported in 2007. Oops.
ObFilm: The Lost Boys
Tags: icedove, mozilla, security, thunderbird
It really is impressive that it's 2 years old and not fixed, though. Still a good find. Maybe that'll convince someone to take care of it.
I've always disagreed with the Mozilla policy that an "instant crash" is a low security issue - After all If my mail/web client exits unexpectedly I'm annoyed regardless of the cause.
It does look like this one is going to be fixed for the next release, but a two year old bug is a surprise.
I guess anything that requires a bogus/broken/buggy IMAP server to trigger is going to be low priority - although DNS spoofing, or other redirection, could make it exploitable its not a realistic attack.
Created by ephemeris.
© Steve Kemp