Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 198965 - www-client/mozilla-firefox < 2.0.0.11 Multiple vulnerabilities (CVE-2007-{5947,5959,5960})
Summary: www-client/mozilla-firefox < 2.0.0.11 Multiple vulnerabilities (CVE-2007-{594...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27605/
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-11-12 19:54 UTC by Aniruddha
Modified: 2008-03-06 09:49 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aniruddha 2007-11-12 19:54:30 UTC
Description:
A security issue has been reported in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.

The problem is that the "jar:" protocol handler does not validate the MIME type of the contents of an archive, which are then executed in the context of the site hosting the archive. This can be exploited to conduct cross-site scripting attacks on sites that allow a user to upload certain files (e.g. .zip, .png, .doc, .odt, .txt).

Solution:
Do not follow untrusted "jar:" links or browse untrusted websites.

Provided and/or discovered by:
Reported by Jesse Ruderman in a Bugzilla entry.

Independently discovered by pdp.

Original Advisory:
Mozilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=369814

GNUCITIZEN:
http://www.gnucitizen.org/blog/web-mayhem-firefoxs-jar-protocol-issues

Other References:
US-CERT VU#715737:
http://www.kb.cert.org/vuls/id/715737

Reproducible: Always
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-11-27 01:47:03 UTC
CVE-2007-5959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5959):
  Multiple unspecified vulnerabilities in Mozilla Firefox before 2.0.0.10 and
  SeaMonkey before 1.1.7 allow remote attackers to cause a denial of service
  (crash) and possibly execute arbitrary code via unknown vectors that trigger
  memory corruption.

CVE-2007-5960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5960):
  Mozilla Firefox before 2.0.0.10 and SeaMonkey 1.1.7 sets the Referer header
  to the window or frame in which script is running, instead of the address of
  the content that initiated the script, which allows remote attackers to spoof
  HTTP Referer headers and bypass Referer-based CSRF protection schemes by
  setting window.location and using a modal alert dialog that causes the wrong
  Referer to be sent.

Fixed in Firefox 2.0.0.10
MFSA 2007-39 Referer-spoofing via window.location race condition
MFSA 2007-38 Memory corruption vulnerabilities (rv:1.8.1.10)
MFSA 2007-37 jar: URI scheme XSS hazard

Mozilla herd, please advise.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2007-11-27 15:01:56 UTC
2.0.0.10 contains a big regression: https://bugzilla.mozilla.org/show_bug.cgi?id=405584

I'm working on it
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-11-29 21:24:35 UTC
The 2.0.0.10 ebuild already contains a fix for the regression mentioned by Raul.

Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"

Fixes for -bin and seamonkey will follow.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-11-30 11:00:57 UTC
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2007-11-30 11:08:01 UTC
x86 stable
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-11-30 16:57:22 UTC
ppc64 stable
Comment 7 Steve Dibb (RETIRED) gentoo-dev 2007-11-30 21:29:32 UTC
(In reply to comment #3)

> Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.10.

amd64 stable
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-30 22:31:33 UTC
ppc stable
Comment 9 Sebastian 2007-12-01 12:05:01 UTC
Hi all,

FF 2.0.0.11 is out:
http://www.mozilla.com/en-US/products/firefox/2.0.0.11/releasenotes/

Regards
Sebastian
Comment 10 Thomas Tuttle 2007-12-03 16:38:58 UTC
Compiles, merges, and works on amd64.

emerge --info:

Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.22-gentoo-r9 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r9 x86_64 Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz
Timestamp of tree: Mon, 03 Dec 2007 16:00:04 +0000
app-shells/bash:     3.2_p17
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6, 2.5.1-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9-r2
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test unmerge-orphans userfetch"
GENTOO_MIRRORS="http://gentoo.cites.uiuc.edu/pub/gentoo/"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X a52 aac acl acpi alsa amd64 berkdb bitmap-fonts cli cracklib crypt cups dri flac fortran gdbm gif gpm iconv ipv6 isdnlog jpeg midi mmx mp3 mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline reflection session spl sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vorbis xorg xv zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="i810 vesa vga"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-12-03 21:00:09 UTC
Security please stabilize 2.0.0.11 instead, since it corrects a very important bug rbu already knows. -bin and not-bin should be in the tree soon.
Comment 12 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 00:53:01 UTC
Arches, please test and mark stable www-client/mozilla-firefox-2.0.0.11.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86"
Already stabled : "alpha ia64 sparc x86"
Missing keywords: "amd64 arm hppa mips ppc ppc64"


Arches, please test and mark stable www-client/mozilla-firefox-bin-2.0.0.11.
Target keywords : "amd64 x86"
Comment 13 Dawid Węgliński (RETIRED) gentoo-dev 2007-12-04 02:11:38 UTC
-bin stable on x86, someone else please test sources ;)
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2007-12-04 10:53:44 UTC
alpha/ia64/sparc/x86 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2007-12-04 14:46:45 UTC
Please do =net-libs/xulrunner-1.8.1.11 as well, the distfile is in dev.g.o:/space/distfiles-local
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2007-12-04 17:57:19 UTC
ppc64 stable
Comment 17 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-04 19:22:19 UTC
ppc stable
Comment 18 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-05 00:57:54 UTC
Stable for HPPA.
Comment 19 Peter Weller (RETIRED) gentoo-dev 2007-12-06 22:50:22 UTC
Done mozilla-firefox{-bin} for amd64, xulrunner to follow in the morning (GMT)
Comment 20 Peter Weller (RETIRED) gentoo-dev 2007-12-07 07:09:45 UTC
Ok, amd64's all done.
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-08 17:12:50 UTC
Readding HPPA as xulrunner isn't done yet.
Comment 22 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-12 16:29:07 UTC
=net-libs/xulrunner-1.8.1.11 stable for HPPA.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-12 16:48:55 UTC
glsa time, we'll merge it with the seamonkey draft since it's the same CVE (bug #200909)
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2007-12-18 14:35:16 UTC
mips done
Comment 25 Robert Buchholz (RETIRED) gentoo-dev 2007-12-29 16:13:30 UTC
GLSA 200712-20, thanks everyone.
Comment 26 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:49:53 UTC
Does not affect current (2008.0) release. Removing release.