Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 260062 (CVE-2009-0652)

Summary: <www-client/mozilla-firefox-{bin-}3.0.7 IDN URL spoofing (CVE-2009-0652)
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-02-23 20:47:21 UTC 
CVE-2009-0652 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0652):
  Mozilla Firefox 3.0.6 does not properly prevent the literal rendering
  of homoglyph characters in IDN domain names, which allows remote
  attackers to spoof URLs and conduct phishing attacks, as demonstrated
  by homoglyphs of the / (slash) and ? (question mark) characters in a
  subdomain of a .cn domain name, a different vulnerability than
  CVE-2005-0233.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-05 23:40:26 UTC 
Fixed in 3.0.7.
Ready to vote, I vote YES (together with #261386).
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-06-24 16:44:42 UTC 
YES too, it's already in glsamaker anyway (even drafted).
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:20:56 UTC 
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:03 UTC 
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).