Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290892 (CVE-2009-1563) - <www-client/mozilla-firefox-3.5.4: Multiple vulnerabilities (CVE-2009-{1563,3274,3370,3371,3372,3373,3374,3375,3376,3377,3378,3379,3380,3381,3382,3383})
Summary: <www-client/mozilla-firefox-3.5.4: Multiple vulnerabilities (CVE-2009-{1563,3...
Status: RESOLVED FIXED
Alias: CVE-2009-1563
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/known...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-28 15:15 UTC by David Barrera
Modified: 2013-01-08 01:03 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Barrera 2009-10-28 15:15:49 UTC
MFSA 2009-64 (CVE-2009-{3380,3381,3382,3383})
Mozilla developers and community members identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

MFSA 2009-63 (CVE-2009-{3377,3378,3379})
Mozilla upgraded several third party libraries used in media rendering to address multiple memory safety and stability bugs identified by members of the Mozilla community. Some of the bugs discovered could potentially be used by an attacker to crash a victim's browser and execute arbitrary code on their computer. liboggz, libvorbis, and liboggplay were all upgraded to address these issues.

MFSA 2009-62 (CVE-2009-3376)
Mozilla security researchers Jesse Ruderman and Sid Stamm reported that when downloading a file containing a right-to-left override character (RTL) in the filename, the name displayed in the dialog title bar conflicts with the name of the file shown in the dialog body. An attacker could use this vulnerability to obfuscate the name and file extension of a file to be downloaded and opened, potentially causing a user to run an executable file when they expected to open a non-executable file.

MFSA 2009-61 (CVE-2009-3375)
Security researcher Gregory Fleischer reported that text within a selection on a web page can be read by JavaScript in a different domain using the document.getSelection function, violating the same-origin policy. Since this vulnerability requires user interaction to exploit, its severity was determined to be moderate.

MFSA 2009-59 (CVE-2009-1563)
Security researcher Alin Rad Pop of Secunia Research reported a heap-based buffer overflow in Mozilla's string to floating point number conversion routines. Using this vulnerability an attacker could craft some malicious JavaScript code containing a very long string to be converted to a floating point number which would result in improper memory allocation and the execution of an arbitrary memory location. This vulnerability could thus be leveraged by the attacker to run arbitrary code on a victim's computer.

MFSA 2009-57 (CVE-2009-3374)
Mozilla security researcher moz_bug_r_a4 reported that the XPCOM utility XPCVariant::VariantDataToJS unwrapped doubly-wrapped objects before returning them to chrome callers. This could result in chrome privileged code calling methods on an object which had previously been created or modified by web content, potentially executing malicious JavaScript code with chrome privileges.

MFSA 2009-56 (CVE-2009-3373)
Security research firm iDefense reported that researcher regenrecht discovered a heap-based buffer overflow in Mozilla's GIF image parser. This vulnerability could potentially be used by an attacker to crash a victim's browser and run arbitrary code on their computer.

MFSA 2009-55 (CVE-2009-3372)
Security researcher Marco C. reported a flaw in the parsing of regular expressions used in Proxy Auto-configuration (PAC) files. In certain cases this flaw could be used by an attacker to crash a victim's browser and run arbitrary code on their computer. Since this vulnerability requires the victim to have PAC configured in their environment with specific regular expresssions which can trigger the crash, the severity of the issue was determined to be moderate.

MFSA 2009-54 (CVE-2009-3371)
Security researcher Orlando Berrera of Sec Theory reported that recursive creation of JavaScript web-workers can be used to create a set of objects whose memory could be freed prior to their use. These conditions often result in a crash which could potentially be used by an attacker to run arbitrary code on a victim's computer.

MFSA 2009-53 (CVE-2009-3274)
Security researcher Jeremy Brown reported that the file naming scheme used for downloading a file which already exists in the downloads folder is predictable. If an attacker had local access to a victim's computer and knew the name of a file the victim intended to open through the Download Manager, he could use this vulnerability to place a malicious file in the world-writable directory used to save temporary downloaded files and cause the browser to choose the incorrect file when opening it. Since this attack requires local access to the victim's machine, the severity of this vulnerability was determined to be low.

MFSA 2009-52 (CVE-2009-3370)
Security researcher Paul Stone reported that a user's form history, both from web content as well as the smart location bar, was vulnerable to theft. A malicious web page could synthesize events such as mouse focus and key presses on behalf of the victim and trick the browser into auto-filling the form fields with history entries and then reading the entries.

Reproducible: Always

Steps to Reproduce:
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:50:44 UTC
CVE-2009-1563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1563):
  Array index error in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x
  before 3.5.4 allows remote attackers to execute arbitrary code via a
  long string that triggers incorrect memory allocation and a
  heap-based buffer overflow during conversion to a floating-point
  number.

CVE-2009-3370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3370):
  Mozilla Firefox before 3.0.15, and 3.5.x before 3.5.4, allows remote
  attackers to read form history by forging mouse and keyboard events
  that leverage the auto-fill feature to populate form fields, in an
  attacker-readable form, with history entries.

CVE-2009-3371 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3371):
  Use-after-free vulnerability in Mozilla Firefox 3.5.x before 3.5.4
  allows remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code by creating JavaScript
  web-workers recursively.

CVE-2009-3372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3372):
  Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey
  before 2.0, allows remote attackers to execute arbitrary code via a
  crafted regular expression in a Proxy Auto-configuration (PAC) file.

CVE-2009-3373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3373):
  Heap-based buffer overflow in the GIF image parser in Mozilla Firefox
  before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0,
  allows remote attackers to execute arbitrary code via unspecified
  vectors.

CVE-2009-3374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3374):
  The XPCVariant::VariantDataToJS function in the XPCOM implementation
  in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 does
  not enforce intended restrictions on interaction between chrome
  privileged code and objects obtained from remote web sites, which
  allows remote attackers to execute arbitrary JavaScript with chrome
  privileges via unspecified method calls, related to "doubly-wrapped
  objects."

CVE-2009-3375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3375):
  content/html/document/src/nsHTMLDocument.cpp in Mozilla Firefox 3.0.x
  before 3.0.15 and 3.5.x before 3.5.4 allows user-assisted remote
  attackers to bypass the Same Origin Policy and read an arbitrary
  content selection via the document.getSelection function.

CVE-2009-3376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3376):
  Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey
  before 2.0, does not properly handle a right-to-left override (aka
  RLO or U+202E) Unicode character in a download filename, which allows
  remote attackers to spoof file extensions via a crafted filename, as
  demonstrated by displaying a non-executable extension for an
  executable file.

CVE-2009-3377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3377):
  Multiple unspecified vulnerabilities in liboggz before
  cf5feeaab69b05e24, as used in Mozilla Firefox 3.5.x before 3.5.4,
  allow remote attackers to cause a denial of service (application
  crash) or possibly execute arbitrary code via unknown vectors.

CVE-2009-3378 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3378):
  The oggplay_data_handle_theora_frame function in
  media/liboggplay/src/liboggplay/oggplay_data.c in liboggplay, as used
  in Mozilla Firefox 3.5.x before 3.5.4, attempts to reuse an earlier
  frame data structure upon encountering a decoding error for the first
  frame, which allows remote attackers to cause a denial of service
  (NULL pointer dereference and application crash) or possibly execute
  arbitrary code via a crafted .ogg video file.

CVE-2009-3379 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3379):
  Multiple unspecified vulnerabilities in libvorbis, as used in Mozilla
  Firefox 3.5.x before 3.5.4, allow remote attackers to cause a denial
  of service (application crash) or possibly execute arbitrary code via
  unknown vectors.  NOTE: this might overlap CVE-2009-2663.

CVE-2009-3380 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3380):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote
  attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown
  vectors.

CVE-2009-3381 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3381):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 3.5.x before 3.5.4 allow remote attackers to cause a denial
  of service (memory corruption and application crash) or possibly
  execute arbitrary code via unknown vectors.

CVE-2009-3383 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3383):
  Multiple unspecified vulnerabilities in the JavaScript engine in
  Mozilla Firefox 3.5.x before 3.5.4 allow remote attackers to cause a
  denial of service (memory corruption and application crash) or
  possibly execute arbitrary code via unknown vectors.

Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:55:41 UTC
GLSA request filed.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 15:56:00 UTC
CVE-2009-3274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3274):
  Mozilla Firefox 3.6a1, 3.5.3, 3.5.2, and earlier 3.5.x versions, and
  3.0.14 and earlier 2.x and 3.x versions, on Linux uses a predictable
  /tmp pathname for files selected from the Downloads window, which
  allows local users to replace an arbitrary downloaded file by placing
  a file in a /tmp location before the download occurs, related to the
  Download Manager component. NOTE: some of these details are obtained
  from third party information.

Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 15:56:30 UTC
CVE-2009-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3382):
  layout/base/nsCSSFrameConstructor.cpp in the browser engine in
  Mozilla Firefox 3.0.x before 3.0.15 does not properly handle
  first-letter frames, which allows remote attackers to cause a denial
  of service (memory corruption and application crash) or possibly
  execute arbitrary code via unspecified vectors.

Comment 5 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:25 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:34 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).