Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 280234 (CVE-2009-2654)

Summary: <www-client/mozilla-firefox{-bin}-3.5.2 address bar spoofing (CVE-2009-{2654,2665})
Product: Gentoo Security Reporter: Stefan Behte (RETIRED) <craig>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dark.knight.ita, djcater+gentoobugs, facorread
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.mozilla.org/show_bug.cgi?id=451898
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 280393    
Bug Blocks:    

Description Stefan Behte (RETIRED) gentoo-dev Security 2009-08-03 22:36:18 UTC 
CVE-2009-2654 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2654):
  Mozilla Firefox 3.5.1 and earlier allows remote attackers to spoof
  the address bar, and possibly conduct phishing attacks, via a crafted
  web page that calls window.open with an invalid character in the URL,
  makes document.write calls to the resulting object, and then calls
  the stop method during the loading of the error page.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-04 10:13:33 UTC 
3.5.2 available for download, my guess is that you're already working on it?
Comment 2 Jory A. Pratt gentoo-dev 2009-08-04 12:54:08 UTC 
(In reply to comment #1)
> 3.5.2 available for download, my guess is that you're already working on it?
> 

I am just waiting on a proxy commit to put it in main tree, I have it done up since last night, it is currently avaliable in the mozilla overlay.
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-08-04 19:34:19 UTC 
CVE-2009-2665 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2665):
  The nsDocument::SetScriptGlobalObject function in
  content/base/src/nsDocument.cpp in Mozilla Firefox 3.5.x before
  3.5.2, when certain add-ons are enabled, does not properly handle a
  Link HTTP header, which allows remote attackers to execute arbitrary
  JavaScript with chrome privileges via a crafted web page, related to
  an incorrect security wrapper.
Comment 4 Jory A. Pratt gentoo-dev 2009-08-05 20:10:05 UTC 

*** This bug has been marked as a duplicate of bug 280393 ***
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-08-06 18:05:11 UTC 
Jory, please do not close bugs assigned to security@. If you feel there is a duplicate bug, please leave a comment explaining why.

With regards to firefox: We try to keep issues in 3.5 (only) and in 3.0 (stable) in separate bugs. We may not always keep that idea up in 100% of the cases, but if we handle duplicate issues, please try to clear them up applying this rule.
Comment 6 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-08-20 08:49:37 UTC 
(In reply to comment #5)
> Jory, please do not close bugs assigned to security@. If you feel there is a
> duplicate bug, please leave a comment explaining why.
> 
> With regards to firefox: We try to keep issues in 3.5 (only) and in 3.0
> (stable) in separate bugs. We may not always keep that idea up in 100% of the
> cases, but if we handle duplicate issues, please try to clear them up applying
> this rule.
> 

I think this bug depends on bug 280393 as it's know about stabilizing 3.5.2.

(let me know if I shouldn't add depend/block info on security bugs)
Comment 7 Samuli Suominen (RETIRED) gentoo-dev 2009-10-19 11:07:46 UTC 
amd64 stable
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-09 12:56:07 UTC 
x86 out of here.
Comment 9 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:06 UTC 
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:23 UTC 
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).