Description: A security issue has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks. The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt). Solution: Do not follow untrusted "jar:" links or browse untrusted websites. Provided and/or discovered by: Reported by Jesse Ruderman in a Bugzilla entry. Independently discovered by pdp. Original Advisory: Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=369814 GNUCITIZEN: http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues Other References: US-CERT VU#715737: http://www.kb.cert.org/vuls/id/715737 Reproducible: Always
CVE-2007-5959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5959): Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors that trigger memory corruption. CVE-2007-5960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960): Mozilla Firefox before 2.0.0.10 and SeaMonkey 1.1.7 sets the Referer header to the window or frame in which script is running, instead of the address of the content that initiated the script, which allows remote attackers to spoof HTTP Referer headers and bypass Referer-based CSRF protection schemes by setting window.location and using a modal alert dialog that causes the wrong Referer to be sent. Fixed in Firefox 2.0.0.10 MFSA 2007-39 Referer-spoofing via window.location race condition MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10) MFSA 2007-37 jar: URI scheme XSS hazard Mozilla herd, please advise.
2.0.0.10 contains a big regression: https://bugzilla.mozilla.org/show_bug.cgi?id=405584 I'm working on it
The 2.0.0.10 ebuild already contains a fix for the regression mentioned by Raul. Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86" Fixes for -bin and seamonkey will follow.
Stable for HPPA.
x86 stable
ppc64 stable
(In reply to comment #3) > Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10. amd64 stable
ppc stable
Hi all, FF 2.0.0.11 is out: http://www.mozilla.com/en-US/products/firefox/2.0.0.11/releasenotes/ Regards Sebastian
Compiles, merges, and works on amd64. emerge --info: Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r9 x86_64) ================================================================= System uname: 2.6.22-gentoo-r9 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz Timestamp of tree: Mon, 03 Dec 2007 16:00:04 +0000 app-shells/bash: 3.2_p17 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6, 2.5.1-r4 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.cites.uiuc.edu/pub/gentoo/" LINGUAS="en" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dri flac fortran gdbm gif gpm iconv ipv6 isdnlog jpeg midi mmx mp3 mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline reflection session spl sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vorbis xorg xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="i810 vesa vga" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Security please stabilize 2.0.0.11 instead, since it corrects a very important bug rbu already knows. -bin and not-bin should be in the tree soon.
Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.11. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86" Already stabled : "alpha ia64 sparc x86" Missing keywords: "amd64 arm hppa mips ppc ppc64" Arches, please test and mark stable www-client/mozilla-firefox-bin-2.0.0.11. Target keywords : "amd64 x86"
-bin stable on x86, someone else please test sources ;)
alpha/ia64/sparc/x86 stable
Please do =net-libs/xulrunner-1.8.1.11 as well, the distfile is in dev.g.o:/space/distfiles-local
Done mozilla-firefox{-bin} for amd64, xulrunner to follow in the morning (GMT)
Ok, amd64's all done.
Readding HPPA as xulrunner isn't done yet.
=net-libs/xulrunner-1.8.1.11 stable for HPPA.
glsa time, we'll merge it with the seamonkey draft since it's the same CVE (bug #200909)
mips done
GLSA 200712-20, thanks everyone.
Does not affect current (2008.0) release. Removing release.