Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 326341

Summary: www-client/mozilla-firefox address bar spoofing (CVE-2010-1206)
Product: Gentoo Security Reporter: Longpoke <longpoke>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: minor    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [glsa]
Package list:
Runtime testing required: ---

Description Longpoke 2010-06-30 17:40:39 UTC
There's a vulnerability in all current versions of Mozilla Firefox that allows a web page to launch a new window with an arbitrary website in the address bar.

For more details see here:

Specifically, the first reference of the CVE for an example:

I tested and it works on 3.6.4, someone could backport the patch or bump the Firefox version I guess.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-30 17:54:35 UTC
The issue is not fixed yet in a released version. As per your second link, Mozilla targets it for 3.6.7. The low severity if this issue does not warrant for a backport + stable unless the Mozilla team thinks otherwise.
Comment 2 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:45:32 UTC
This has been fixed in seamonkey 2.0.6 + firefox 3.6.7, older versions are not in-tree anymore. Nothing else for mozilla team to do here.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-11-26 20:40:14 UTC
GLSA Vote: yes.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:06:32 UTC
Vote: YES. Added to pending GLSA request.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:18:36 UTC
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:35:38 UTC
CVE-2010-1206 (
  The startDocumentLoad function in browser/base/content/browser.js in Mozilla
  Firefox 3.5.x before 3.5.11 and 3.6.x before 3.6.7, and SeaMonkey before
  2.0.6, does not properly implement the Same Origin Policy in certain
  circumstances related to the about:blank document and a document that is
  currently loading, which allows (1) remote web servers to conduct spoofing
  attacks via vectors involving a 204 (aka No Content) status code, and allows
  (2) remote attackers to conduct spoofing attacks via vectors involving a
  window.stop call.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:20 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at
by GLSA coordinator Sean Amoss (ackle).