Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 156023 - www-client/mozilla-firefox(-bin) 2.0 cross-site request credential exposure (CVE-2006-6077 and others)
Summary: www-client/mozilla-firefox(-bin) 2.0 cross-site request credential exposure (...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: A2 [glsa]
Keywords:
: 157035 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-11-23 04:47 UTC by Matt Drew (RETIRED)
Modified: 2007-03-31 13:25 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
new patchset that includes a patch from upstream. (mozilla-firefox-2.0-patches-0.2.tar.bz2,25.62 KB, application/octet-stream)
2006-11-30 20:47 UTC, Jory A. Pratt
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Drew (RETIRED) gentoo-dev 2006-11-23 04:47:30 UTC
2.0 is still ~x86, but this is stupid enough and easily exploitable enough that it warrants a bug of its own.

Also:

http://www.info-svc.com/news/11-21-2006/

Firefox will automatically fill-in site passwords for login forms that are not from the original site.  Since the forms don't have to be visible, usernames and passwords can be discovered transparent to the user.  It does require the attacker have some way to inject user-created HTML with form tags into the trusted site, which is easily accomplished on sites such as MySpace where user-created HTML is the norm.
Comment 1 Lubomir Rintel 2006-11-23 07:14:48 UTC
(In reply to comment #0)
> 2.0 is still ~x86, but this is stupid enough and easily exploitable enough that
> it warrants a bug of its own.

Also affects older versions, at least 1.7.0.8
Comment 2 Wolf Giesen (RETIRED) gentoo-dev 2006-11-23 14:25:31 UTC
I guess you mean 1.5.0.8. So I read, unconfirmed from my side, though ... (ranting censored)
Comment 3 Jory A. Pratt 2006-11-30 20:47:14 UTC
Created attachment 103079 [details]
new patchset that includes a patch from upstream.

This is a new patchset with patch from upstream it is sane. I have changed the default to false so users must now make the change to true if they wish to keep the current method of auto filling username and passwords that are saved.
Comment 4 Bryan Østergaard (RETIRED) gentoo-dev 2006-12-01 13:59:40 UTC
Mozilla-firefox-2.0-r2 is in the tree now with Jory's patch.
Comment 5 VinnieNZ 2006-12-02 19:15:41 UTC
So this patch disables auto-filling of username/password fields (ie, it turns the feature off, it doesn't replace the old vulnerable method with a new one)?

And if we wanted to re-enable auto-fill, which option do we change from false to true in about:config?
Comment 6 Jory A. Pratt 2006-12-02 19:36:40 UTC
(In reply to comment #5)
> And if we wanted to re-enable auto-fill, which option do we change from false
> to true in about:config?
> 
simple change signon.autofillForums to true :)

Comment 7 Jakub Moc (RETIRED) gentoo-dev 2006-12-03 17:08:35 UTC
*** Bug 157035 has been marked as a duplicate of this bug. ***
Comment 8 Stefan Cornelius (RETIRED) gentoo-dev 2006-12-04 00:18:17 UTC
what about 1.5.x.x, is this branch unaffected? btw, it seems like we may not enable official branding with that patch ... lol
Comment 9 Dustin C. Hatch 2006-12-07 05:24:12 UTC
(In reply to comment #6)
> (In reply to comment #5)
> > And if we wanted to re-enable auto-fill, which option do we change from false
> > to true in about:config?
> > 
> simple change signon.autofillForums to true :)
> 
Perhaps there should be a way to enable it per-site. For example, sites that users can be explicitly allowed to autofill forms, but all the others are explicitly denied this right. Just a thought, seems like it would work to me, but IANAP.
Comment 10 Jory A. Pratt 2006-12-19 11:55:01 UTC
MFSA 2006-75  RSS Feed-preview referrer leak
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)

Ebuilds are not in tree at the moment ... I am working on them and will be avaliable soon.
Comment 11 Malcolm Lashley (RETIRED) gentoo-dev 2006-12-19 13:19:09 UTC
Wielding the handy "Add Arch's" button on behalf of Anarchy. 

Target *stable* version 1.5.0.9

2.0.0.1 is on its way for ~arch.
Comment 12 Malcolm Lashley (RETIRED) gentoo-dev 2006-12-19 13:21:26 UTC
actually adding arches - sorry for bugspam... *shrug*
Comment 13 Peter Weller (RETIRED) gentoo-dev 2006-12-19 15:01:30 UTC
mozilla-firefox-bin-1.5.0.9 done on AMD64.
Comment 14 Jeroen Roovers gentoo-dev 2006-12-19 23:16:41 UTC
www-client/mozilla-firefox-1.5.0.9 Stable for HPPA.
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2006-12-20 03:40:26 UTC
In x86, bin version:

Emerges and works fine.

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6
.18-gentoo-r4 i686)
=================================================================
System uname: 2.6.18-gentoo-r4 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 09:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disable
d]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird  -O2 -pipe -fomit-frame-pointe
r"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfper
ms strict"
GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ "
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j2"
PKGDIR="/tmp/lea/var/tmp/binpkgs"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress 
--force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/d
istfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.belnet.be/packages/gentoo-portage"
USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri dvd
 dvdr eds elibc_glibc emboss encode fam firefox fortran gif gnome gpm gstreamer 
gtk hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse isd
nlog jpeg kde kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly
 ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflec
tion sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev uni
code userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORT
AGE_RSYNC_EXTRA_OPTS
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2006-12-20 04:59:56 UTC
sparc stable.
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-20 08:43:05 UTC
any reason why AMD64 and HPPA were not removed from the Cc list ?
Comment 18 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-20 08:56:16 UTC
don't forget -bin
Comment 19 Jeroen Roovers gentoo-dev 2006-12-20 10:32:24 UTC
(In reply to comment #17)
> any reason why AMD64 and HPPA were not removed from the Cc list ?

Because the summary contradicts what you wanted stabilised.
Comment 20 Markus Meier gentoo-dev 2006-12-20 12:12:36 UTC
www-client/mozilla-firefox-bin-1.5.0.9
1. emerges on x86
2. passes collision test
3. works

www-client/mozilla-firefox-1.5.0.9
1. emerges on x86, please note:
unpack mozilla-firefox-1.5.0.9-de.xpi: file format not recognized. Ignoring.
dodoc: LEGAL does not exist
2. passes collision test
3. works


Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.4 i686)
=================================================================
System uname: 2.6.18.4 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 18:30:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 21 Tobias Scherbaum (RETIRED) gentoo-dev 2006-12-20 23:33:44 UTC
ppc stable
Comment 22 Joshua Jackson (RETIRED) gentoo-dev 2006-12-21 10:54:29 UTC
x86 done.
Comment 23 Jory A. Pratt 2006-12-24 07:54:31 UTC
This is ready for glsa ...
Comment 24 Sune Kloppenborg Jeppesen gentoo-dev 2006-12-26 12:09:15 UTC
Removing amd64 from CC:

  19 Dec 2006; <malc@gentoo.org> mozilla-firefox-1.5.0.9.ebuild:
  Stable on amd64 wrt security bug #156023
Comment 25 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-12-28 07:11:12 UTC
rerating due to MFSA 2006-73 (at least)

sorry for the delay in the GLSA (Chrismas holidays, it seems)

-----------------

Description
Appending an SVG comment DOM node from one document into another type of document such as HTML in some cases results in a crash due to memory corruption that can be exploited to run arbitrary code.

This flaw was introduced in the Firefox 1.5.0.4 release, prior versions are unaffected.

Mozilla would like to thank an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.
Comment 26 Matt Drew (RETIRED) gentoo-dev 2006-12-31 10:09:40 UTC
added CVE entry for the original bug.
Comment 27 Andrew Dorney 2007-01-04 21:09:48 UTC
The about:config section is now called signon.prefillForms in 2.0.0.1, in case anybody reading this bug couldn't find it now.
Comment 29 Raúl Porcel (RETIRED) gentoo-dev 2007-03-31 13:25:55 UTC
arm/ia64 won't stabilize 1.5.