multiple vulnerabilities fixed in seamonkey 1.0.6 http://www.mozilla.org/security/announce/2006/mfsa2006-65.html Title: Crashes with evidence of memory corruption (rv:1.8.0.8) Impact: Critical Announced: November 7, 2006 Reporter: Mozilla Developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 1.5.0.8 Thunderbird 1.5.0.8 SeaMonkey 1.0.6 Description As part of the Firefox 1.5.0.8 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data. Workaround Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey. References Jesse Ruderman and Martijn Wargers reported crashes in the layout engine https://bugzilla.mozilla.org/show_bug.cgi?id=307809 https://bugzilla.mozilla.org/show_bug.cgi?id=310267 https://bugzilla.mozilla.org/show_bug.cgi?id=350370 https://bugzilla.mozilla.org/show_bug.cgi?id=351328 CVE-2006-5464 shutdown demonstrated that a crash in XML.prototype.hasOwnProperty was exploitable https://bugzilla.mozilla.org/show_bug.cgi?id=355569 CVE-2006-5747 Igor Bukanov and Jesse Ruderman reported potential memory corruption in the JavaScript engine https://bugzilla.mozilla.org/show_bug.cgi?id=349527 https://bugzilla.mozilla.org/show_bug.cgi?id=351973 https://bugzilla.mozilla.org/show_bug.cgi?id=353165 https://bugzilla.mozilla.org/show_bug.cgi?id=354145 https://bugzilla.mozilla.org/show_bug.cgi?id=354151 https://bugzilla.mozilla.org/show_bug.cgi?id=350238 https://bugzilla.mozilla.org/show_bug.cgi?id=351116 https://bugzilla.mozilla.org/show_bug.cgi?id=352271 https://bugzilla.mozilla.org/show_bug.cgi?id=352606 https://bugzilla.mozilla.org/show_bug.cgi?id=354924 CVE-2006-5748 * Site Map * Security Updates * Contact Us http://www.mozilla.org/security/announce/2006/mfsa2006-64.html Mozilla Foundation Security Advisory 2006-64 Title: Crashes with evidence of memory corruption (rv:1.8.0.7) Impact: Critical Announced: September 14, 2006 Reporter: Mozilla Developers Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 1.5.0.7 Thunderbird 1.5.0.7 SeaMonkey 1.0.5 Description As part of the Firefox 1.5.0.7 release we fixed several bugs to improve the stability of the product. Some of these were crashes that showed evidence of memory corruption and we presume that at least some of these could be exploited to run arbitrary code with enough effort. We thank Bernd Mielke, Georgi Guninski, Igor Bukanov, Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, shutdown, and Weston Carloss for discovering and reporting these crashes. Note: Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript, such as large images or plugin data. Workaround Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or the mail portions of SeaMonkey. References CVE-2006-4571 Bernd Mielke and Mats Palmgren reported crashes involving tables https://bugzilla.mozilla.org/show_bug.cgi?id=339130 https://bugzilla.mozilla.org/show_bug.cgi?id=339170 https://bugzilla.mozilla.org/show_bug.cgi?id=339246 https://bugzilla.mozilla.org/show_bug.cgi?id=343087 https://bugzilla.mozilla.org/show_bug.cgi?id=344000 https://bugzilla.mozilla.org/show_bug.cgi?id=346980 Georgi Guninski discovered heap corruption using XSLTProcessor https://bugzilla.mozilla.org/show_bug.cgi?id=348511 Igor Bukanov reported potential memory corruption in the JavaScript engine https://bugzilla.mozilla.org/show_bug.cgi?id=345967 https://bugzilla.mozilla.org/show_bug.cgi?id=346968 https://bugzilla.mozilla.org/show_bug.cgi?id=348532 https://bugzilla.mozilla.org/show_bug.cgi?id=350312 Jesse Ruderman, Martijn Wargers, Mats Palmgren, Olli Pettay, and Weston Carloss reported crashes involving DHTML https://bugzilla.mozilla.org/show_bug.cgi?id=306940 https://bugzilla.mozilla.org/show_bug.cgi?id=307826 https://bugzilla.mozilla.org/show_bug.cgi?id=336999 https://bugzilla.mozilla.org/show_bug.cgi?id=337419 https://bugzilla.mozilla.org/show_bug.cgi?id=337883 https://bugzilla.mozilla.org/show_bug.cgi?id=347355 https://bugzilla.mozilla.org/show_bug.cgi?id=348049 https://bugzilla.mozilla.org/show_bug.cgi?id=205735 https://bugzilla.mozilla.org/show_bug.cgi?id=344291 https://bugzilla.mozilla.org/show_bug.cgi?id=344557 https://bugzilla.mozilla.org/show_bug.cgi?id=348062 https://bugzilla.mozilla.org/show_bug.cgi?id=348729 https://bugzilla.mozilla.org/show_bug.cgi?id=348887 https://bugzilla.mozilla.org/show_bug.cgi?id=321299 https://bugzilla.mozilla.org/show_bug.cgi?id=343457 https://bugzilla.mozilla.org/show_bug.cgi?id=349201 https://bugzilla.mozilla.org/show_bug.cgi?id=348688 shutdown reported it was still possible to corrupt memory via content-implemented tree views despite the fix for bug 326501 https://bugzilla.mozilla.org/show_bug.cgi?id=344085 http://www.mozilla.org/security/announce/2006/mfsa2006-66.htmlMozilla Foundation Security Advisory 2006-66 Title: RSA Signature Forgery (variant) Impact: Critical Announced: November 7, 2006 Reporter: Ulrich Kuehn Products: Firefox, Thunderbird, SeaMonkey Fixed in: Firefox 1.5.0.8 Thunderbird 1.5.0.8 SeaMonkey 1.0.6 Description MFSA 2006-60 reported that RSA digital signatures with a low exponent (typically 3) could be forged. This flaw was corrected in the Mozilla Network Security Services (NSS) library version 3.11.3 used by Firefox 2.0 and current development versions of Mozilla clients. Ulrich Kuehn reported that Firefox 1.5.0.7, which incorporated NSS version 3.10.2, was incompletely patched and remained vulnerable to a variant of this attack. Workaround None, upgrade to a fixed version. References https://bugzilla.mozilla.org/show_bug.cgi?id=356215 CVE-2006-5462 MFSA 2006-60 rgds Daxomatic
Accepting bug.
Mozilla team, Please advice again for this one too. ;-) Br Daxomatic
(In reply to comment #2) > Mozilla team, Please advice again for this one too. ;-) > > Br > Daxomatic > This is not needed, your wasting out time with emails asking for us to advise when we are working to get the updates into the tree.
Please bear with him as he's a Padawan in the SecTeam and not a senior bug wrangler yet. You all have been very kind on my stumbling attempts, so I just beg you to have the same patience with Daxomatic. Thanks a lot!
Bumped in cvs.
hi, Arches, please test & mark stable. rgds Daxomatic
ppc stable
x86 is off the hook
Emerges and works fine on amd64. Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18-suspend2-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.18-suspend2-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.12.6 Last Sync: Wed, 08 Nov 2006 05:00:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -msse3 -Os -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -msse3 -Os -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distcc distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage_overlay" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa apache2 berkdb bitmap-fonts cairo cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode esd fam firefox fortran gcj gdbm gif gpm gstreamer gtk gtk2 hal iconv imap input_devices_keyboard input_devices_mouse isdnlog jpeg kde kdeenablefinal kdehiddenvisibility kernel_linux libg++ mad mikmod mp3 mpeg mysql ncurses nls nptl nptlonly objc objc++ ogg oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl session spell spl sqlite ssl tcpd test truetype truetype-fonts type1-fonts udev unicode userland_GNU video_cards_radeon vorbis xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 done then
Stable on Alpha.
Stable for HPPA.
This one is ready for GLSA.
GLSA 200612-08
