From: "Theo de Raadt" Subject: Re: 18-year-old security flaw in Chromium and Firefox exploited in attacks To: CIVINULL Cc: ports@openbsd.org, robert@openbsd.org Date: Fri, 09 Aug 2024 00:07:53 -0600 CIVINULL wrote: > https://www.bleepingcomputer.com/news/security/18-year-old-security-flaw-in-firefox-and-chrome-exploited-in-attacks/ > > I wonder if the sandboxing of Chromium and Firefox on OpenBSD will prevent it from being affected by this vulnerability. Sorry, our sandboxing efforts does not solve this problem. Instead, the problem was fixed in a series of commits in 1998, when the OpenBSD kernel stopped considering 255.255.255.255 and 0.0.0.0 as referring to localhost. sys/netinet/in.c revision 1.4 date: 1998/02/25 03:45:14; author: angelos; state: Exp; lines: +20 -4; Disallow TCP connects to 255.255.255.255 or local broadcast addresses. revision 1.5 date: 1998/02/25 04:53:09; author: angelos; state: Exp; lines: +2 -2; Pay attention. revision 1.7 date: 1998/02/25 23:44:57; author: deraadt; state: Exp; lines: +4 -17; patch could not have been tested. panics machine on boot revision 1.8 date: 1998/02/28 03:39:56; author: angelos; state: Exp; lines: +20 -4; Another shot at disallowing TCP connections to 255.255.255.255, 0.0.0.0 and any local broadcast addresses. Tested. I suspect RFC's this work preceeded RFCs which didn't require that bizzare historical behaviour; I have not dug into my mail archives to remember how this played out. I forget what protocol worried us back in those days, to let us to fix it. Today it is chrome and firefox. Next year this will some other protocol or program, because there are operating systems who don't want to fix this issue (or issues like it) at the correct layer because they don't are unwilling to perform an ecosystem study to find the rare things using it, force their repair, and then cut out the tumour.