Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 326341 - www-client/mozilla-firefox address bar spoofing (CVE-2010-1206)
Summary: www-client/mozilla-firefox address bar spoofing (CVE-2010-1206)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-06-30 17:40 UTC by Longpoke
Modified: 2013-01-08 01:04 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Longpoke 2010-06-30 17:40:39 UTC
There's a vulnerability in all current versions of Mozilla Firefox that allows a web page to launch a new window with an arbitrary website in the address bar.

For more details see here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1206

Specifically, the first reference of the CVE for an example:
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html

I tested and it works on 3.6.4, someone could backport the patch or bump the Firefox version I guess.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-30 17:54:35 UTC
The issue is not fixed yet in a released version. As per your second link, Mozilla targets it for 3.6.7. The low severity if this issue does not warrant for a backport + stable unless the Mozilla team thinks otherwise.
Comment 2 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:45:32 UTC
This has been fixed in seamonkey 2.0.6 + firefox 3.6.7, older versions are not in-tree anymore. Nothing else for mozilla team to do here.

http://www.mozilla.org/security/announce/2010/mfsa2010-45.html
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 20:40:14 UTC
GLSA Vote: yes.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:06:32 UTC
Vote: YES. Added to pending GLSA request.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:18:36 UTC
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:35:38 UTC
CVE-2010-1206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1206):
  The startDocumentLoad function in browser/base/content/browser.js in Mozilla
  Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before
  2.0.6, does not properly implement the Same Origin Policy in certain
  circumstances related to the about:blank document and a document that is
  currently loading, which allows (1) remote web servers to conduct spoofing
  attacks via vectors involving a 204 (aka No Content) status code, and allows
  (2) remote attackers to conduct spoofing attacks via vectors involving a
  window.stop call.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:20 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).