Marc Schoenefeld has reported several security bugs that he discovered through the use of his fuzzer which he has recently been generous enough to share with us. From his email to security@mozilla.org: --- Hi Brandon, in order to kick off the font hardening I attached the font fuzzer. It's a simple and almost self-explanatory python prog, and in this form found the bug I reported today (bug 594456). To get started 1) copy some fonts to the "files" subdirectory , default is files relative to webserver.py or the path specified with the --files option 2) python webserver.py [--port port (default:8080)] [--files dir default (./files)] 3) fire up a browser under <host>:8080 , then click a font to start fuzzing, for each font you have the choice for either get the font in an embedded data URL or a linked ttf (separate download). The fuzzer supports ttf, otf , woff and eot yet. This is work-in-progress and therefore looks ugly in every aspect. I plan to release an improved version in Q4/10, please don't distribute outside of Mozilla before that event. I look forward to your comments and improvements :)

> I plan to release an improved version in Q4/10, please don't distribute outside > of Mozilla before that event. I wanted to highlight the part in Marc's email that requests that this work NOT BE SHARED outside of Mozilla until he has had a chance to release his work.

Swapping dependency order