Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 260062 (CVE-2009-0652) - <www-client/mozilla-firefox-{bin-}3.0.7 IDN URL spoofing (CVE-2009-0652)
Summary: <www-client/mozilla-firefox-{bin-}3.0.7 IDN URL spoofing (CVE-2009-0652)
Status: RESOLVED FIXED
Alias: CVE-2009-0652
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: https://www.blackhat.com/presentation...
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-02-23 20:47 UTC by Stefan Behte (RETIRED)
Modified: 2013-01-08 01:03 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 20:47:21 UTC
CVE-2009-0652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0652):
  Mozilla Firefox 3.0.6 does not properly prevent the literal rendering
  of homoglyph characters in IDN domain names, which allows remote
  attackers to spoof URLs and conduct phishing attacks, as demonstrated
  by homoglyphs of the / (slash) and ? (question mark) characters in a
  subdomain of a .cn domain name, a different vulnerability than
  CVE-2005-0233.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-05 23:40:26 UTC
Fixed in 3.0.7.
Ready to vote, I vote YES (together with #261386).
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-24 16:44:42 UTC
YES too, it's already in glsamaker anyway (even drafted).
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:20:56 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:03 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).