Bug 198965 - www-client/mozilla-firefox < 2.0.0.11 Multiple vulnerabilities (CVE-2007-{5947,5959,5960})
Bug#: 198965 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: mailingdotlist@gmail.com
Component: Vulnerabilities
URL:  http://secunia.com/advisories/27605/
Summary: www-client/mozilla-firefox < 2.0.0.11 Multiple vulnerabilities (CVE-2007-{5947,5959,5960})
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2007-11-12 19:54 0000
Description:   Opened: 2007-11-12 19:54 0000 
Description:
A security issue has been reported in Mozilla Firefox, which can be exploited
by malicious people to conduct cross-site scripting attacks.

The problem is that the "jar:" protocol handler does not validate the MIME type
of the contents of an archive, which are then executed in the context of the
site hosting the archive. This can be exploited to conduct cross-site scripting
attacks on sites that allow a user to upload certain files (e.g. .zip, .png,
.doc, .odt, .txt).

Solution:
Do not follow untrusted "jar:" links or browse untrusted websites.

Provided and/or discovered by:
Reported by Jesse Ruderman in a Bugzilla entry.

Independently discovered by pdp.

Original Advisory:
Mozilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=369814

GNUCITIZEN:
http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues

Other References:
US-CERT VU#715737:
http://www.kb.cert.org/vuls/id/715737

Reproducible: Always

------- Comment #1 From Robert Buchholz 2007-11-27 01:47:03 0000 ------- 
CVE-2007-5959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5959):
  Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and
  SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service
  (crash) and possibly execute arbitrary code via unknown vectors that trigger
  memory corruption.

CVE-2007-5960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960):
  Mozilla Firefox before 2.0.0.10 and SeaMonkey 1.1.7 sets the Referer header
  to the window or frame in which script is running, instead of the address of
  the content that initiated the script, which allows remote attackers to spoof
  HTTP Referer headers and bypass Referer-based CSRF protection schemes by
  setting window.location and using a modal alert dialog that causes the wrong
  Referer to be sent.

Fixed in Firefox 2.0.0.10
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard

Mozilla herd, please advise.

------- Comment #2 From Raúl Porcel 2007-11-27 15:01:56 0000 ------- 
2.0.0.10 contains a big regression:
https://bugzilla.mozilla.org/show_bug.cgi?id=405584

I'm working on it

------- Comment #3 From Robert Buchholz 2007-11-29 21:24:35 0000 ------- 
The 2.0.0.10 ebuild already contains a fix for the regression mentioned by
Raul.

Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

Fixes for -bin and seamonkey will follow.

------- Comment #4 From Jeroen Roovers 2007-11-30 11:00:57 0000 ------- 
Stable for HPPA.

------- Comment #5 From Markus Meier 2007-11-30 11:08:01 0000 ------- 
x86 stable

------- Comment #6 From Markus Rothe 2007-11-30 16:57:22 0000 ------- 
ppc64 stable

------- Comment #7 From Steve Dibb 2007-11-30 21:29:32 0000 ------- 
(In reply to comment #3)

> Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10.

amd64 stable

------- Comment #8 From Tobias Scherbaum 2007-11-30 22:31:33 0000 ------- 
ppc stable

------- Comment #9 From Sebastian 2007-12-01 12:05:01 0000 ------- 
Hi all,

FF 2.0.0.11 is out:
http://www.mozilla.com/en-US/products/firefox/2.0.0.11/releasenotes/

Regards
Sebastian

------- Comment #10 From Thomas Tuttle 2007-12-03 16:38:58 0000 ------- 
Compiles, merges, and works on amd64.

emerge --info:

Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0,
2.6.22-gentoo-r9 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r9 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz
Timestamp of tree: Mon, 03 Dec 2007 16:00:04 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6, 2.5.1-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf
/etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c
/etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict
parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.cites.uiuc.edu/pub/gentoo/"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups
dri flac fortran gdbm gif gpm iconv ipv6 isdnlog jpeg midi mmx mp3 mudflap
ncurses nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python
readline reflection session spl sse sse2 ssl tcpd test truetype-fonts
type1-fonts unicode vorbis xorg xv zlib" ALSA_CARDS="hda-intel"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file
hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route
share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias
authn_anon authn_dbm authn_default authn_file authz_dbm authz_default
authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs
dav_lock deflate dir disk_cache env expires ext_filter file_cache filter
headers include info log_config logio mem_cache mime mime_magic negotiation
rewrite setenvif speling status unique_id userdir usertrack vhost_alias"
ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux"
LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses
text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="i810 vesa vga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS,
PORTDIR_OVERLAY

------- Comment #11 From Raúl Porcel 2007-12-03 21:00:09 0000 ------- 
Security please stabilize 2.0.0.11 instead, since it corrects a very important
bug rbu already knows. -bin and not-bin should be in the tree soon.

------- Comment #12 From Robert Buchholz 2007-12-04 00:53:01 0000 ------- 
Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.11.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
Already stabled : "alpha ia64 sparc x86"
Missing keywords: "amd64 arm hppa mips ppc ppc64"


Arches, please test and mark stable www-client/mozilla-firefox-bin-2.0.0.11.
Target keywords : "amd64 x86"

------- Comment #13 From Dawid Węgliński 2007-12-04 02:11:38 0000 ------- 
-bin stable on x86, someone else please test sources ;)

------- Comment #14 From Raúl Porcel 2007-12-04 10:53:44 0000 ------- 
alpha/ia64/sparc/x86 stable

------- Comment #15 From Raúl Porcel 2007-12-04 14:46:45 0000 ------- 
Please do =net-libs/xulrunner-1.8.1.11 as well, the distfile is in
dev.g.o:/space/distfiles-local

------- Comment #16 From Markus Rothe 2007-12-04 17:57:19 0000 ------- 
ppc64 stable

------- Comment #17 From Tobias Scherbaum 2007-12-04 19:22:19 0000 ------- 
ppc stable

------- Comment #18 From Jeroen Roovers 2007-12-05 00:57:54 0000 ------- 
Stable for HPPA.

------- Comment #19 From Peter Weller 2007-12-06 22:50:22 0000 ------- 
Done mozilla-firefox{-bin} for amd64, xulrunner to follow in the morning (GMT)

------- Comment #20 From Peter Weller 2007-12-07 07:09:45 0000 ------- 
Ok, amd64's all done.

------- Comment #21 From Jeroen Roovers 2007-12-08 17:12:50 0000 ------- 
Readding HPPA as xulrunner isn't done yet.

------- Comment #22 From Jeroen Roovers 2007-12-12 16:29:07 0000 ------- 
=net-libs/xulrunner-1.8.1.11 stable for HPPA.

------- Comment #23 From Pierre-Yves Rofes 2007-12-12 16:48:55 0000 ------- 
glsa time, we'll merge it with the seamonkey draft since it's the same CVE (bug
#200909)

------- Comment #24 From Raúl Porcel 2007-12-18 14:35:16 0000 ------- 
mips done

------- Comment #25 From Robert Buchholz 2007-12-29 16:13:30 0000 ------- 
GLSA 200712-20, thanks everyone.

------- Comment #26 From Peter Volkov 2008-03-06 09:49:53 0000 ------- 
Does not affect current (2008.0) release. Removing release.