from http://www.security-protocols.com/modules.php?name=News&file=article&sid=2910 : A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on a affected host. Reproducible: Always Steps to Reproduce: close important windows/tabs of firefox and visit the given URL Actual Results: crash Expected Results: no crash although there is no patch yet, it is said to be circumventable by setting network.enableIDN = false (in about:config)
Auditors/Mozilla please advise.
mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=307259 patch that fixes it https://bugzilla.mozilla.org/attachment.cgi?id=195425
I can reproduce the crash, but if all you can write past the bounds of the heap buffer is a long string of dashes, I seriously doubt this is exploitable. This looks like a mostly harmless crash due to heap corruption. Has anyone seen anything to suggest this is anything more?
Okay, a post to full-disclosure claims that exploitation is possible, so I guess there's more to this than meets the eye.
Yes, looks like I spoke too soon, from the mozilla bug: ------- Additional Comment #15 From Josh Bressers 2005-09-09 08:03 PDT [reply] - ------ Can anyone verify that this issue ONLY works if the hostname is all -'s? While this will still be a crash, it won't allow arbitrary code execution. ------- Additional Comment #16 From David Baron 2005-09-09 08:44 PDT [reply] --- ---- Wrong, since there's stuff appended to the buffer after the hostname.
(Gentoo) Mozilla team : it might be a good idea to release a patched src-based version because I don't know how much time it will take upstream to release, and that would allow us to publish a GLSA with workaround for the other versions... Let me know what you think about this.
There is an easy way to set this key to false for binary and source installs, you will have to install from the ebuild a preferences-file. So I give it a name gentoo-default-prefs.js and it must contain the following line: pref("network.enableIDN", false); After that in src_install, you'll need sth like this: dodir ${D}/${MOZILLA_FIVE_HOME}/greprefs cp ${FILESDIR}/gentoo-default-prefs.js ${D}/${MOZILLA_FIVE_HOME}/greprefs/all-gentoo.js dodir ${D}/${MOZILLA_FIVE_HOME}/defaults/pref cp ${FILESDIR}/gentoo-default-prefs.js ${D}/${MOZILLA_FIVE_HOME}/defaults/pref/all-gentoo.js The problem is that with this setting, the firefox survive the simple test-cases as http://www.security-protocols.com/firefoxwin32-death.html and https://bugzilla.mozilla.org/attachment.cgi?id=195056 but in some way http://www.security-protocols.com/modules.php?name=News&file=article&sid=2910 freezes it and opera, although opera recovers in 15 sec here.
Mozilla team: please bump Mozilla and Firefox source versions with https://bugzilla.mozilla.org/attachment.cgi?id=195425 (or comment if you prefer not to)
Arches, please test an mark -r7 stable, thanks.
You can use : http://www.security-protocols.com/firefoxwin32-death.html to test for vulnerability.
Mozilla src ebuild is in too... Arches should test and mark : mozilla-1.7.11-r3 (target keywords = "alpha amd64 hppa ia64 ppc ~ppc64 sparc x86") mozilla-firefox-1.0.6-r7 (target keywords = "alpha amd64 ~arm hppa ia64 ppc sparc x86")
Stable on ppc.
Compiling mozilla-firefox-1.0.6-r7 as we speak, but the test vuln dosn't work on my amd64 box. Gentoo Base System version 1.6.13 Portage 2.0.51.22-r2 (default-linux/amd64/2005.0, gcc-3.4.4, glibc-2.3.5-r1, 2.6.12-gentoo-r6 x86_64) ================================================================= System uname: 2.6.12-gentoo-r6 x86_64 AMD Athlon(tm) 64 Processor 3400+ dev-lang/python: 2.3.5-r2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.18-r1 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-pipe -O3 -march=k8" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-pipe -O3 -march=k8" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X aac alsa avi berkdb bitmap-fonts cdr crypt curl dvd dvdread eds emboss encode esd fam flac foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 jpeg libvisual lzw lzw-tiff mp3 mpeg ncurses network nls ogg oggvorbis opengl pam pdflib perl png python quicktime readline samba sdl softmmu speex spell sqlite ssl tcpd theora tiff truetype-fonts type1-fonts usb userlocales vorbis xine xml2 xpm xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
mozilla-firefox-1.0.6-r7 stable on amd64.
mozilla-firefox-1.0.6-r7 is stable on x86
mozilla-1.7.11-r3 is stable on x86 as well.
mozilla-1.7.11-r3 stable on amd64.
AMD64 done.
re-adding amd64 since we're still waiting for an updated mozilla{-firefox}-bin
Which versions of mozilla{-firefox}-bin do we need to test on amd64? From the latest sync, the only ~amd64 version among these packages is mozilla-bin-1.7.11.
Marked stable on alpha: mozilla-1.7.11-r3 mozilla-firefox-1.0.6-r7
added ~ppc64 to mozilla-1.7.11-r3
Stable on hppa
To amd64: No -bin versions yet... Those will be 1.0.7 and 1.7.12. Waiting on sparc to release temporary GLSA.
Stable on SPARC.
GLSA 200509-11 ia64 should mark stable to benefit from GLSA
Hm. Keeping the bug open to remember to update GLSA when the -bin fixed versions are out.
Firefox 1.0.7 is out, we need the -bin version in.
*** Bug 106787 has been marked as a duplicate of this bug. ***
*** Bug 106819 has been marked as a duplicate of this bug. ***
Note: 1.0.7 also fixes the "Command Line URL Shell Command Injection vulnerability" but it isn't clear that it affects us, due to wrapper scripts... Can anyone reproduce it on Gentoo ?
I just tested the example exploit on gentoo, it did not seem to have any effect. I used the example given in this thread: https://bugzilla.mozilla.org/show_bug.cgi?id=307185#c0
forgot to include: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050725 Firefox/1.0.6
*** Bug 106939 has been marked as a duplicate of this bug. ***
This is the complete list of fixes in 1.0.7: http://www.mozilla.org/security/announce/mfsa2005-58.html Would say, severity goes up.. push -bin ahead.
Indeed : MFSA 2005-59 Command-line handling on Linux allows shell execution (does not affect Gentoo) MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes (critical) MFSA 2005-57 IDN heap overrun using soft-hyphens (fixed in source versions) Moz team: We'll need fixed source and -bin versions for all...
List of the new CANs : ====================================================== Candidate: CAN-2005-2701 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Heap-based buffer overflow in Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to execute arbitrary code via an XBM image file that ends in a large number of spaces instead of the expected end tag. ====================================================== Candidate: CAN-2005-2702 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via Unicode sequences with "zero-width non-joiner" characters. ====================================================== Candidate: CAN-2005-2703 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies. ====================================================== Candidate: CAN-2005-2704 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to spoof DOM objects via an XBL control that implements an internal XPCOM interface. ====================================================== Candidate: CAN-2005-2705 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Integer overflow in the JavaScript engine in Firefox 1.0.7 and Mozilla Suite 1.7.12 might allow remote attackers to execute arbitrary code. ====================================================== Candidate: CAN-2005-2706 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to execute Javascript with chrome privileges via an about: page such as about:mozilla. ====================================================== Candidate: CAN-2005-2707 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707 Reference: CONFIRM:http://www.mozilla.org/security/announce/mfsa2005-58.html Reference: REDHAT:RHSA-2005:785 Reference: URL:http://www.redhat.com/support/errata/RHSA-2005-785.html Firefox 1.0.7 and Mozilla Suite 1.7.12 allows remote attackers to spawn windows without user interface components such as the address and status bar, which could be used to conduct spoofing or phishing attacks.
*** Bug 107035 has been marked as a duplicate of this bug. ***
*** Bug 107111 has been marked as a duplicate of this bug. ***
Ok, took care of mozilla/firefox/gecko-sdk .. will do the binary ebuilds tomorrow.
Arches, you can start testing the source versions... www-client/mozilla-1.7.12 Target KEYWORDS="alpha amd64 hppa ia64 ppc ~ppc64 sparc x86" www-client/mozilla-firefox-1.0.7 Target KEYWORDS="alpha amd64 ~arm hppa ia64 ppc sparc x86" And I suppose probably also : net-libs/gecko-sdk-1.7.12 Target KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86" -bin versions coming up soon.
Forgot to Cc the relevant archs (need coffee)
sparc stable.
Can arches please wait until I release each as -r1? There is an issue with epiphany/galeon with these versions that I have fixed, but are just testing currently ...
Sorry, should have commented earlier ...
Ok, www-client/mozilla-1.7.12-r1 and www-client/mozilla-firefox-1.0.7-r1 looks fine here.
All right, the -bin packages is in the tree. Can we hold on the source packages for now? I have a font rendering bug Im trying to sort out.
Archs: feel free to mark -bin packages stable if you have them. We wait on new packages from azarah for the src versions. This will be published as a GLSA update to the recent Moz GLSA.
mozilla-firefox-bin-1.0.7-r1 marked stable on amd64
Ok, -r2 of each source package should be fine.
Az: many thx. Is gecko-sdk ready or does it need some more work ? Archs, here is the stablework left : alpha: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2 amd64: mozilla-1.7.12-r2 mozilla-bin-1.7.12 mozilla-firefox-1.0.7-r2 hppa: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2 ia64: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2 ppc: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2 sparc: mozilla-1.7.12-r2 mozilla-firefox-1.0.7-r2 x86: mozilla-1.7.12-r2 mozilla-bin-1.7.12 mozilla-firefox-1.0.7-r2 mozilla-firefox-bin-1.0.7
Please also all (+ppc64) test and mark stable net-libs/gecko-sdk-1.7.12-r1...
gecko-sdk stable on ppc64 (others never marked stable on ppc64)
mozilla-1.7.12-r2, mozilla-bin-1.7.12, and net-libs/gecko-sdk-1.7.12-r1 done on amd64
amd64 done
x86 done
mozilla-1.7.12-r2, mozilla-firefox-1.0.7-r2 and gecko-sdk-1.7.12-r1 stables on alpha.
x86 AT : Apparently you still miss the net-libs/gecko-sdk-1.7.12-r1 stable keyword.
Since there are a lot of USE flags and the latest stable version of gecko-sdk is 1.7.8, can someone from the mozilla team outline a quick test scenario to verify the functionality of gecko-sdk-1.7.12-r1?
Currently: # USE=gecko-sdk emerge mplayerplug-in I did however build galeon this side against it, but that is amd64 ... basically mozilla-1.7.12-r2 which the few changes for the SDK/GRE, so it *should* be ok if mozilla is fine.
gecko-sdk-1.7.12-r1 stable on x86
GLSA 200509-11 updated