Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91859 - www-client/mozilla-{suite|firefox} Remote compromise (CAN-2005-147{6|7})
Summary: www-client/mozilla-{suite|firefox} Remote compromise (CAN-2005-147{6|7})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Bryan Østergaard (RETIRED)
URL: http://www.mozilla.org/security/annou...
Whiteboard: A2? [glsa] jaervosz
Keywords:
: 92321 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-05-08 00:12 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2019-11-28 22:21 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-08 00:13:51 UTC
Mozilla please advise.
Comment 2 Adir Abraham 2005-05-08 14:37:00 UTC
Updates (solution?) from Secunia:

Mozilla Firefox is prone to a security vulnerability that could result in the execution of arbitrary code without requiring user interaction.

Initial analysis of the vulnerability reveals that the vulnerability relies on a three-stage attack that may lead to an arbitrary script gaining 'UniversalXPConnect' privileges.

It was observed that this issue might be exploited remotely to take privileged actions on the vulnerable computer in the context of the user that is running the affected browser.

This vulnerability is reported in all versions of Mozilla Firefox browsers up to 1.0.3.

*Update: The cross-site scripting vulnerability that the publicly available exploit relied on in the mozilla.org domain has been fixed. This issue is no longer exploitable through this public attack vector.

Workaround:
Symantec has tested the following workaround that can be used to prevent exploitation of this issue.

Disable JavaScript:
-In the Firefox 'Tools' Menu, select 'Options'.
-Select the 'Web Features' dialog.
-Uncheck the 'Enable JavaScript' check box.
-Click the OK button.

http://www.securityfocus.com/bid/13544
Comment 3 Adir Abraham 2005-05-08 14:53:16 UTC
Sorry, the last one was from securityfocus.
However, secunia has this update:

Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.

2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.

NOTE: Exploit code is publicly available.

The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.

Solution:
Disable JavaScript.

http://secunia.com/advisories/15292/
Comment 4 Jean-François Brunette (RETIRED) gentoo-dev 2005-05-09 06:23:55 UTC
Mozilla is also vulnerable
http://secunia.com/advisories/15296/
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-09 22:41:59 UTC
Mozilla please advise.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-10 09:33:26 UTC
Should we issue a temp GLSA on this?
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-11 06:59:44 UTC
Ubuntu released patches:

https://www.ubuntulinux.org/support/documentation/usn/usn-124-1

Mozilla please provide an updated ebuild.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-11 21:34:48 UTC
*** Bug 92321 has been marked as a duplicate of this bug. ***
Comment 9 Aarni Honka 2005-05-11 21:41:06 UTC
Final 1.0.4 has been released by mozilla.
Comment 10 Jory A. Pratt 2005-05-12 00:08:35 UTC
1.0.4 added for www-client/mozilla-firefox bin has not been bumped as of yet.
Comment 11 Jory A. Pratt 2005-05-12 00:10:08 UTC
I marked for ~arch only all archs need to be added and push for stable as soon as possible seeing all other versions are effected still.
Comment 12 Jory A. Pratt 2005-05-12 00:26:46 UTC
1.0.4-bin is in the TREE mark stable as soon as possible.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-12 00:31:11 UTC
Thx Jory.

Arches please test and mark stable.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-12 00:50:21 UTC
Mozilla we still need an ebuild for Mozilla Suite 1.7.8.
Comment 16 Adir Abraham 2005-05-12 03:03:47 UTC
CANs are available too:

CAN-2005-1476, CAN-2005-1477
Comment 17 Lars Weiler (RETIRED) gentoo-dev 2005-05-12 05:19:41 UTC
mozilla-firefox-1.0.4 stable on ppc.  Should we stay in this bug for the Mozilla Suite or will it be another bug?
Comment 18 Seemant Kulleen (RETIRED) gentoo-dev 2005-05-12 07:22:58 UTC
stabled on amd64
Comment 19 Gustavo Zacarias (RETIRED) gentoo-dev 2005-05-12 08:54:11 UTC
firefox-1.0.4 sparc stable, waiting for regular moz.
Comment 20 Aron Griffis (RETIRED) gentoo-dev 2005-05-12 08:59:50 UTC
mozilla-1.7.8 and mozilla-bin-1.7.8 are now in portage
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-12 09:19:18 UTC
Thx Aron,

amd64 and sparc please mark Mozilla stable.
Comment 22 Jory A. Pratt 2005-05-12 09:49:25 UTC
*** Bug 92393 has been marked as a duplicate of this bug. ***
Comment 23 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-12 09:55:10 UTC
Handling stable marking for firefox on bug #92393 and mozilla-suite on bug #92394.
Comment 24 Lars Weiler (RETIRED) gentoo-dev 2005-05-12 16:05:05 UTC
Dependencies done for ppc.  Removing from this bug.
Comment 25 Thierry Carrez (RETIRED) gentoo-dev 2005-05-13 01:19:36 UTC
Please followup to bug 92393 and bug 92394.
Comment 26 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-15 03:28:57 UTC
GLSA 200505-11
Comment 27 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 07:42:46 UTC
Already stable on hppa