Quoting: A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure. An attacker can use this vulnerability to collect session information, including session cookies and session history. Firefox is not vulnerable by default. Based on this new information Mozilla has changed the security severity rating to high. A fix is included in Firefox 2.0.0.12 which be available shortly. References: http://blog.mozilla.com/security/2008/01/22/chrome-protocol-directory-traversal/ http://blog.mozilla.com/security/2008/01/29/status-update-for-chrome-protocol-directory-traversal-issue/ https://bugzilla.mozilla.org/show_bug.cgi?id=413250 https://bugzilla.mozilla.org/show_bug.cgi?id=413451 http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
I assume this also affects Linux, but the POC is for Windows only. Mozilla herd, can you advise here? Otherwise, we'd have to dig into that.
I've been told this affects Linux as well, a release is expected for monday.
Thanks, let's wait then.
Hi, www-client/seamonkey is also affected by this. Should seamonkey get its own bugreport or can someone add seamonkey to this bug? firefox-2.0.0.12 and seamonkey-1.1.8 have been released and both contain fixes for this bug. List of fixes for firefox: http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.12 List of fixes for saeamonkey: http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.1.8 Cheers Poly-C
Created attachment 142973 [details, diff] seamonkey-1.1.7-to-1.1.8-patchupdates.diff This diff is for the seamonkey-1.1.7-patches-05 patchset so that the patchset can be used for seamonkey-1.1.8
net-libs/xulrunner-1.8.1.12 www-client/mozilla-firefox[-bin]-2.0.0.12 www-client/seamonkey[-bin]-1.1.8 in the tree
Arches, please test and mark stable: =www-client/mozilla-firefox-2.0.0.12 Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sparc x86" =www-client/mozilla-firefox-bin-2.0.0.12 Target keywords : "amd64 release x86" =www-client/seamonkey-1.1.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86" =www-client/seamonkey-bin-1.1.8 Target keywords : "amd64 release x86" =net-libs/xulrunner-1.8.1.12 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
alpha/ia64/sparc stable
powerpc done
x86 stable
readding x86, only firefox non-bin has been marked stable....seamonkey, xulrunner are still missing.
Stable for HPPA: > =www-client/mozilla-firefox-2.0.0.12 > =www-client/seamonkey-1.1.8 > =net-libs/xulrunner-1.8.1.12
net-libs/xulrunner-1.8.1.12 USE="java -debug -gnome -ipv6 -xinerama -xprint" * Emerges on AMD64. * Works with mplayerplug-in. www-client/seamonkey-1.1.8 USE="crypt -debug -gnome -ipv6 -java -ldap -mozdevelop -moznocompose -moznoirc -moznomail -moznopango -moznoroaming -postgres -xforms -xinerama -xprint" * Emerges on AMD64. * Works! - - Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64) ================================================================= System uname: 2.6.23-gentoo-r3 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-56 Timestamp of tree: Sun, 10 Feb 2008 23:30:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.0.33-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.10-r5 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -Os -msse3 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=k8 -Os -msse3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://213.186.33.37/gentoo-distfiles/" LANG="en_US" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr amrnb amrwb bash-completion berkdb bitmap-fonts branding bzip2 cairo cli cracklib crypt cups dbus divx doc dvd dvdr emerald fam ffmpeg firefox flac fortran gd gdbm gif glade glib glitz gtk gtkspell hal hddtemp iconv imagemagick insecure-savers isdnlog javascript jpeg jpeg2k kqemu libcaca libnotify midi mmx mmxext mp2 mp3 mp4 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre png pppd python quicktime readline realmedia reflection samba sdl session smp spell spl sse sse2 ssl stream svg syslog taglib tcpd threads truetype truetype-fonts type1 type1-fonts unicode v4l v4l2 vhosts vim-syntax vorbis wifi wmp xcomposite xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics joystick" KERNEL="linux" LCD_DEVICES="xosd" USERLAND="GNU" VIDEO_CARDS="nv nvidia none" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 done
CVE-2008-0412: The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via vectors related to the (1) nsTableFrame::GetFrameAtOrBefore, (2) nsAccessibilityService::GetAccessible, (3) nsBindingManager::GetNestedInsertionPoint, (4) nsXBLPrototypeBinding::AttributeChanged, (5) nsColumnSetFrame::GetContentInsertionFrame, and (6) nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors. CVE-2008-0413: The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to cause a denial of service (crash) and possibly trigger memory corruption via (1) a large switch statement, (2) certain uses of watch and eval, (3) certain uses of the mousedown event listener, and other vectors. CVE-2008-0414: Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to trick the user into uploading arbitrary files via label tags that shift focus to a file input field, aka "focus spoofing." CVE-2008-0415: Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to execute script outside of the sandbox and conduct cross-site scripting (XSS) attacks via multiple vectors including the XMLDocument.load function, aka "JavaScript privilege escalation bugs." CVE-2008-0417: CRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows remote user-assisted web sites to corrupt the user's password store via newlines that are not properly handled when the user saves a password. CVE-2008-0418: Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using "flat" addons, allows remote attackers to read arbitrary Javascript, image, and stylesheet files via the chrome: URI scheme, as demonstrated by stealing session information from sessionstore.js. CVE-2008-0419: Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows remote attackers to steal navigation history and cause a denial of service (crash) via images in a page that uses designMode frames, which triggers memory corruption related to resize handles. CVE-2008-0591: Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 allows user-assisted remote attackers to cause users to confirm a timer-enabled security dialog by using a timer to change the window focus. CVE-2008-0592: Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows user-assisted remote attackers to cause a denial of service via a plain .txt file with a "Content-Disposition: attachment" and an invalid "Content-Type: plain/text," which prevents Firefox from rendering future plain text files within the browser. CVE-2008-0593: Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8, modifies the .href property of stylesheet DOM nodes to the final URI of a 302 redirect, which might allow remote attackers to bypass the Same Origin Policy and read sensitive information from the original URL, such as with Single-Signon systems. CVE-2008-0594: Mozilla Firefox before 2.0.0.12 does not always display a web forgery warning dialog if the entire contents of a web page are in a DIV tag that uses absolute positioning, which makes it easier for remote attackers to conduct phishing attacks.
Updated in release snapshot.
Thunderbird-2.0.0.12 is in the tree
Okay, arches please do: =mail-client/mozilla-thunderbird-2.0.0.12 =mail-client/mozilla-thunderbird-bin-2.0.0.12 And it's dep: =x11-plugins/enigmail-0.95.6-r2 Thanks
ppc64 done
Adding release
ppc stable
mips is going all ~arch.
www-client/seamonkey, www-client/seamonkey-bin, www-client/mozilla-firefox, www-client/mozilla-firefox-bin, net-libs/xulrunner, x11-plugins/enigmail, mail-client/mozilla-thunderbird, mail-client/mozilla-thunderbird-bin are updated in release snapshot.
Other apps than firefox finally stable on ppc.
CVE-2008-0304 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0304): Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview.
*** Bug 211602 has been marked as a duplicate of this bug. ***
CVE-2008-0420: modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10.
CVE-2008-0416 was also fixed in .12, see http://www.mozilla.org/security/announce/2008/mfsa2008-13.html
GLSA 200805-18, sorry for the delay.