intrigeri wrote (08 Aug 2015 09:19:50 GMT) :
> https://bugzilla.mozilla.org/show_bug.cgi?id=1179262#c30 reads:
> "Notice that "pdfjs.disabled" shall not be used, at least without
> switching the handler." Not sure how one would "switch the handler",
> and perhaps it doesn't mean what I think anyway.
... on the other hand,
https://access.redhat.com/articles/1563163
documents pdfjs.disabled=True as a mitigation. I trust RedHat security
team to have verified that it indeed blocks exploitation.
And Arch Linux' ASA-201508-1 also documents the same mitigation.
> Romeo Papa, do you want to research this further? It would be very
> useful to add a mitigation measure when mentioning this security issue
> in the "Known issues" section of the 1.5~rc1 call for testing.
s/add/document/
Cheers,
--
intrigeri