Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 105396 - www-client/mozilla[-firefox][-bin]: Multiple security fixes in 1.0.7 / 1.7.12
Summary: www-client/mozilla[-firefox][-bin]: Multiple security fixes in 1.0.7 / 1.7.12
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa] koon
Keywords:
: 106787 106819 106939 107035 107111 (view as bug list)
Depends on:
Blocks: 106713
  Show dependency tree
 
Reported: 2005-09-09 09:04 UTC by Sebastian Krämer
Modified: 2006-03-23 19:44 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krämer 2005-09-09 09:04:48 UTC
from http://www.security-protocols.com/modules.php?name=News&file=article&sid=2910 :

A buffer overflow vulnerability exists within Firefox version 1.0.6 and all
other prior versions which allows for an attacker to remotely execute arbitrary
code on a affected host.

Reproducible: Always
Steps to Reproduce:
close important windows/tabs of firefox and visit the given URL
Actual Results:  
crash

Expected Results:  
no crash

although there is no patch yet, it is said to be circumventable by setting
network.enableIDN = false (in about:config)
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-09-09 23:19:29 UTC
Auditors/Mozilla please advise. 
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-10 07:52:38 UTC
I can reproduce the crash, but if all you can write past the bounds of the heap 
buffer is a long string of dashes, I seriously doubt this is exploitable.

This looks like a mostly harmless crash due to heap corruption. Has anyone seen 
anything to suggest this is anything more?
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-10 08:03:23 UTC
Okay, a post to full-disclosure claims that exploitation is possible, so I guess 
there's more to this than meets the eye.
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2005-09-10 08:04:22 UTC
Yes, looks like I spoke too soon, from the mozilla bug:

------- Additional Comment #15 From Josh Bressers 2005-09-09 08:03 PDT [reply] -
------ 

Can anyone verify that this issue ONLY works if the hostname is all -'s?  While
this will still be a crash, it won't allow arbitrary code execution.

------- Additional Comment #16 From David Baron 2005-09-09 08:44 PDT [reply] ---
---- 

Wrong, since there's stuff appended to the buffer after the hostname.

Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-09-11 02:58:02 UTC
(Gentoo) Mozilla team : it might be a good idea to release a patched src-based
version because I don't know how much time it will take upstream to release, and
that would allow us to publish a GLSA with workaround for the other versions...

Let me know what you think about this.
Comment 7 Gergan Penkov 2005-09-12 05:57:47 UTC
There is an easy way to set this key to false for binary and source installs,
you will have to install from the ebuild a preferences-file.
So I give it a name gentoo-default-prefs.js and it must contain the following line:
pref("network.enableIDN",                false);
After that in src_install, you'll need sth like this:
        dodir ${D}/${MOZILLA_FIVE_HOME}/greprefs
        cp ${FILESDIR}/gentoo-default-prefs.js
${D}/${MOZILLA_FIVE_HOME}/greprefs/all-gentoo.js
        dodir ${D}/${MOZILLA_FIVE_HOME}/defaults/pref
        cp ${FILESDIR}/gentoo-default-prefs.js
${D}/${MOZILLA_FIVE_HOME}/defaults/pref/all-gentoo.js
The problem is that with this setting, the firefox survive the simple test-cases
as http://www.security-protocols.com/firefoxwin32-death.html and
https://bugzilla.mozilla.org/attachment.cgi?id=195056 but in some way
http://www.security-protocols.com/modules.php?name=News&file=article&sid=2910
freezes it and opera, although opera recovers in 15 sec here.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-09-13 06:48:41 UTC
Mozilla team: please bump Mozilla and Firefox source versions with
https://bugzilla.mozilla.org/attachment.cgi?id=195425 (or comment if you prefer
not to)
Comment 9 Stefan Cornelius (RETIRED) gentoo-dev 2005-09-15 04:48:41 UTC
Arches, please test an mark -r7 stable, thanks.
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-09-15 05:01:52 UTC
You can use :
http://www.security-protocols.com/firefoxwin32-death.html
to test for vulnerability.
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-09-15 05:16:44 UTC
Mozilla src ebuild is in too...

Arches should test and mark :
mozilla-1.7.11-r3 (target keywords = "alpha amd64 hppa ia64 ppc ~ppc64 sparc x86")
mozilla-firefox-1.0.6-r7 (target keywords = "alpha amd64 ~arm hppa ia64 ppc
sparc x86")
Comment 12 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-15 10:42:18 UTC
Stable on ppc.
Comment 13 postmodern 2005-09-15 10:53:56 UTC
Compiling mozilla-firefox-1.0.6-r7 as we speak, but the test vuln dosn't work on
my amd64 box.

Gentoo Base System version 1.6.13
Portage 2.0.51.22-r2 (default-linux/amd64/2005.0, gcc-3.4.4, glibc-2.3.5-r1,
2.6.12-gentoo-r6 x86_64)
=================================================================
System uname: 2.6.12-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3400+
dev-lang/python:     2.3.5-r2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.18-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-pipe -O3 -march=k8"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-pipe -O3 -march=k8"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X aac alsa avi berkdb bitmap-fonts cdr crypt curl dvd dvdread eds
emboss encode esd fam flac foomaticdb fortran gif gnome gpm gstreamer gtk gtk2
imlib ipv6 jpeg libvisual lzw lzw-tiff mp3 mpeg ncurses network nls ogg
oggvorbis opengl pam pdflib perl png python quicktime readline samba sdl softmmu
speex spell sqlite ssl tcpd theora tiff truetype-fonts type1-fonts usb
userlocales vorbis xine xml2 xpm xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS

Comment 14 postmodern 2005-09-15 13:09:40 UTC
mozilla-firefox-1.0.6-r7 stable on amd64.
Comment 15 Mark Loeser (RETIRED) gentoo-dev 2005-09-15 18:29:04 UTC
mozilla-firefox-1.0.6-r7 is stable on x86
Comment 16 Mark Loeser (RETIRED) gentoo-dev 2005-09-15 23:05:58 UTC
mozilla-1.7.11-r3 is stable on x86 as well.
Comment 17 postmodern 2005-09-16 10:20:25 UTC
mozilla-1.7.11-r3 stable on amd64.
Comment 18 Luis Medinas (RETIRED) gentoo-dev 2005-09-16 10:57:36 UTC
AMD64 done.
Comment 19 Simon Stelling (RETIRED) gentoo-dev 2005-09-16 11:00:41 UTC
re-adding amd64 since we're still waiting for an updated mozilla{-firefox}-bin
Comment 20 postmodern 2005-09-16 11:22:01 UTC
Which versions of mozilla{-firefox}-bin do we need to test on amd64? From the
latest sync, the only ~amd64 version among these packages is mozilla-bin-1.7.11.
Comment 21 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-09-16 13:31:07 UTC
Marked stable on alpha:

mozilla-1.7.11-r3
mozilla-firefox-1.0.6-r7
Comment 22 Markus Rothe (RETIRED) gentoo-dev 2005-09-17 00:19:16 UTC
added ~ppc64 to  mozilla-1.7.11-r3 
Comment 23 René Nussbaumer (RETIRED) gentoo-dev 2005-09-17 01:22:17 UTC
Stable on hppa
Comment 24 Thierry Carrez (RETIRED) gentoo-dev 2005-09-17 06:37:06 UTC
To amd64: No -bin versions yet... Those will be 1.0.7 and 1.7.12.
Waiting on sparc to release temporary GLSA.
Comment 25 Jason Wever (RETIRED) gentoo-dev 2005-09-17 16:05:23 UTC
Stable on SPARC.
Comment 26 Thierry Carrez (RETIRED) gentoo-dev 2005-09-18 13:31:20 UTC
GLSA 200509-11
ia64 should mark stable to benefit from GLSA
Comment 27 Thierry Carrez (RETIRED) gentoo-dev 2005-09-18 13:32:14 UTC
Hm. Keeping the bug open to remember to update GLSA when the -bin fixed versions
are out.
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-09-21 07:35:20 UTC
Firefox 1.0.7 is out, we need the -bin version in.
Comment 29 Thierry Carrez (RETIRED) gentoo-dev 2005-09-21 07:35:33 UTC
*** Bug 106787 has been marked as a duplicate of this bug. ***
Comment 30 Jakub Moc (RETIRED) gentoo-dev 2005-09-21 13:21:29 UTC
*** Bug 106819 has been marked as a duplicate of this bug. ***
Comment 31 Thierry Carrez (RETIRED) gentoo-dev 2005-09-22 01:21:42 UTC
Note: 1.0.7 also fixes the "Command Line URL Shell Command Injection
vulnerability" but it isn't clear that it affects us, due to wrapper scripts...
Can anyone reproduce it on Gentoo ?
Comment 32 Alan McGinlay 2005-09-22 14:06:50 UTC
I just tested the example exploit on gentoo, it did not seem to have any effect.

I used the example given in this thread:

https://bugzilla.mozilla.org/show_bug.cgi?id=307185#c0
Comment 33 Alan McGinlay 2005-09-22 14:08:51 UTC
forgot to include:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6
Comment 34 Jakub Moc (RETIRED) gentoo-dev 2005-09-22 21:42:31 UTC
*** Bug 106939 has been marked as a duplicate of this bug. ***
Comment 35 Tobias Sager 2005-09-23 02:52:29 UTC
This is the complete list of fixes in 1.0.7:
http://www.mozilla.org/security/announce/mfsa2005-58.html

Would say, severity goes up.. push -bin ahead.
Comment 36 Thierry Carrez (RETIRED) gentoo-dev 2005-09-23 05:57:41 UTC
Indeed :

MFSA 2005-59  Command-line handling on Linux allows shell execution (does not
affect Gentoo)
MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes (critical)
MFSA 2005-57 IDN heap overrun using soft-hyphens (fixed in source versions)

Moz team: We'll need fixed source and -bin versions for all...
Comment 37 Thierry Carrez (RETIRED) gentoo-dev 2005-09-23 11:30:14 UTC
List of the new CANs :

======================================================
Candidate: CAN-2005-2701
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Heap-based buffer overflow in Firefox 1.0.7 and Mozilla Suite 1.7.12
allows remote attackers to execute arbitrary code via an XBM image
file that ends in a large number of spaces instead of the expected end
tag.


======================================================
Candidate: CAN-2005-2702
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
cause a denial of service (crash) and possibly execute arbitrary code
via Unicode sequences with "zero-width non-joiner" characters.


======================================================
Candidate: CAN-2005-2703
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
modify HTTP headers of XML HTTP requests via XMLHttpRequest, and
possibly use the client to exploit vulnerabilities in servers or
proxies.


======================================================
Candidate: CAN-2005-2704
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
spoof DOM objects via an XBL control that implements an internal XPCOM
interface.


======================================================
Candidate: CAN-2005-2705
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Integer overflow in the JavaScript engine in Firefox 1.0.7 and Mozilla
Suite 1.7.12 might allow remote attackers to execute arbitrary code.


======================================================
Candidate: CAN-2005-2706
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
execute Javascript with chrome privileges via an about: page such as
about:mozilla.


======================================================
Candidate: CAN-2005-2707
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707
Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html
Reference: REDHAT:RHSA-2005:785
Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html

Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to
spawn windows without user interface components such as the address
and status bar, which could be used to conduct spoofing or phishing
attacks.
Comment 38 Carsten Lohrke (RETIRED) gentoo-dev 2005-09-23 15:19:28 UTC
*** Bug 107035 has been marked as a duplicate of this bug. ***
Comment 39 Carsten Lohrke (RETIRED) gentoo-dev 2005-09-23 16:18:22 UTC
*** Bug 107035 has been marked as a duplicate of this bug. ***
Comment 40 Carsten Lohrke (RETIRED) gentoo-dev 2005-09-24 17:27:58 UTC
*** Bug 107111 has been marked as a duplicate of this bug. ***
Comment 41 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-25 18:34:06 UTC
Ok, took care of mozilla/firefox/gecko-sdk .. will do the binary ebuilds tomorrow.
Comment 42 Thierry Carrez (RETIRED) gentoo-dev 2005-09-26 00:25:48 UTC
Arches, you can start testing the source versions...
www-client/mozilla-1.7.12 Target KEYWORDS="alpha amd64 hppa ia64 ppc ~ppc64
sparc x86"
www-client/mozilla-firefox-1.0.7 Target KEYWORDS="alpha amd64 ~arm hppa ia64 ppc
sparc x86"

And I suppose probably also :
net-libs/gecko-sdk-1.7.12 Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc
x86"

-bin versions coming up soon.
Comment 43 Thierry Carrez (RETIRED) gentoo-dev 2005-09-26 00:27:28 UTC
Forgot to Cc the relevant archs (need coffee)
Comment 44 Gustavo Zacarias (RETIRED) gentoo-dev 2005-09-26 13:50:34 UTC
sparc stable.
Comment 45 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-26 14:25:09 UTC
Can arches please wait until I release each as -r1?  There is an issue with
epiphany/galeon with these versions that I have fixed, but are just testing
currently ...
Comment 46 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-26 14:25:35 UTC
Sorry, should have commented earlier ...
Comment 47 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-26 15:15:01 UTC
Ok, www-client/mozilla-1.7.12-r1 and www-client/mozilla-firefox-1.0.7-r1 looks
fine here.
Comment 48 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-27 11:19:22 UTC
All right, the -bin packages is in the tree.  Can we hold on the source packages
for now?  I have a font rendering bug Im trying to sort out.
Comment 49 Thierry Carrez (RETIRED) gentoo-dev 2005-09-27 13:31:05 UTC
Archs: feel free to mark -bin packages stable if you have them. We wait on new
packages from azarah for the src versions.

This will be published as a GLSA update to the recent Moz GLSA.
Comment 50 Simon Stelling (RETIRED) gentoo-dev 2005-09-27 14:26:06 UTC
mozilla-firefox-bin-1.0.7-r1 marked stable on amd64
Comment 51 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-28 03:33:31 UTC
Ok, -r2 of each source package should be fine.
Comment 52 Thierry Carrez (RETIRED) gentoo-dev 2005-09-28 04:14:10 UTC
Az: many thx. Is gecko-sdk ready or does it need some more work ?

Archs, here is the stablework left :

alpha: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2
amd64: mozilla-1.7.12-r2 mozilla-bin-1.7.12 mozilla-firefox-1.0.7-r2
hppa: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2
ia64: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2
ppc: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2
sparc: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2
x86: mozilla-1.7.12-r2 mozilla-bin-1.7.12 mozilla-firefox-1.0.7-r2
mozilla-firefox-bin-1.0.7
Comment 53 Thierry Carrez (RETIRED) gentoo-dev 2005-09-28 04:32:23 UTC
Please also all (+ppc64) test and mark stable net-libs/gecko-sdk-1.7.12-r1...
Comment 54 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-09-28 11:08:19 UTC
Stable on ppc.
Comment 55 Markus Rothe (RETIRED) gentoo-dev 2005-09-28 12:25:07 UTC
gecko-sdk stable on ppc64 (others never marked stable on ppc64)
Comment 56 Homer Parker (RETIRED) gentoo-dev 2005-09-28 12:56:27 UTC
mozilla-1.7.12-r2, mozilla-bin-1.7.12, and net-libs/gecko-sdk-1.7.12-r1 done on
amd64
Comment 57 Daniel Gryniewicz (RETIRED) gentoo-dev 2005-09-28 13:00:29 UTC
amd64 done
Comment 58 René Nussbaumer (RETIRED) gentoo-dev 2005-09-28 13:12:45 UTC
Stable on hppa
Comment 59 Mark Loeser (RETIRED) gentoo-dev 2005-09-28 21:54:07 UTC
x86 done
Comment 60 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2005-09-29 03:55:25 UTC
mozilla-1.7.12-r2, mozilla-firefox-1.0.7-r2 and gecko-sdk-1.7.12-r1 stables on
alpha.
Comment 61 Thierry Carrez (RETIRED) gentoo-dev 2005-09-29 04:05:47 UTC
x86 AT : Apparently you still miss the net-libs/gecko-sdk-1.7.12-r1 stable keyword.
Comment 62 Gustavo Zacarias (RETIRED) gentoo-dev 2005-09-29 08:28:05 UTC
sparc stable.
Comment 63 Paul Varner (RETIRED) gentoo-dev 2005-09-29 13:13:22 UTC
Since there are a lot of USE flags and the latest stable version of gecko-sdk is
1.7.8, can someone from the mozilla team outline a quick test scenario to verify
the functionality of gecko-sdk-1.7.12-r1?
Comment 64 Martin Schlemmer (RETIRED) gentoo-dev 2005-09-30 00:59:17 UTC
Currently:

  # USE=gecko-sdk emerge mplayerplug-in

I did however build galeon this side against it, but that is amd64 ... 
basically mozilla-1.7.12-r2 which the few changes for the SDK/GRE, so it
*should* be ok if mozilla is fine.
Comment 65 Paul Varner (RETIRED) gentoo-dev 2005-09-30 12:06:13 UTC
gecko-sdk-1.7.12-r1 stable on x86
Comment 66 Thierry Carrez (RETIRED) gentoo-dev 2005-09-30 14:04:22 UTC
GLSA 200509-11 updated