Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 106939 - mozilla-firefox 1.0.7 update for severe security flaw
Summary: mozilla-firefox 1.0.7 update for severe security flaw
Status: RESOLVED DUPLICATE of bug 105396
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Linux bug wranglers
Depends on:
Reported: 2005-09-22 18:18 UTC by VinnieNZ
Modified: 2005-09-22 21:42 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description VinnieNZ 2005-09-22 18:18:37 UTC
Mozilla Firefox has been updated to v1.0.7 for a severe security flaw that
affects Linux (below from

"The bug is in the Linux shell scripts that Firefox and the Mozilla browser
suite use to parse web addresses supplied via the command line or by external
programs such as email clients. Researcher Peter Zelezny discovered that
commands included in the URL and enclosed in backticks (') were executed by the
Linux or Unix shell.

The flaw doesn't require web interaction to be effective. If a user with
affected versions of Firefox or Mozilla set as the default browser clicks on a
maliciously crafted URL in an email program, for example, malicious commands
would be executed before the browser was launched.

Security advisory aggregators Secunia and FrSIRT both gave the flaw their most
severe ratings.

The Mozilla Foundation, which develops Firefox and other Mozilla-based software
such as the Thunderbird email client, has issued a Firefox update, version
1.0.7, fixing the flaw as well as a week-old security bug in the handling of
International Domain Names (IDN). The update can be found on the Mozilla website."

Reproducible: Always
Steps to Reproduce:
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2005-09-22 21:42:31 UTC
Command Line URL Shell Command Injection vulnerability is not reproducible on
Gentoo, due to the wrapper scripts. 

*** This bug has been marked as a duplicate of 105396 ***