Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 195978 (CVE-2007-5414) - <www-client/mozilla-firefox[-bin]-2 CSS Vulnerabilty (CVE-2007-{5414,5415})
Summary: <www-client/mozilla-firefox[-bin]-2 CSS Vulnerabilty (CVE-2007-{5414,5415})
Status: RESOLVED FIXED
Alias: CVE-2007-5414
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/annou...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-10-15 20:09 UTC by Tobias Heinlein (RETIRED)
Modified: 2011-12-13 19:33 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2007-10-15 20:09:14 UTC 
CVE-2007-5414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5414):
  Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 2.0, when
  UTF-7 document content is rendered directly in UTF-7, allows remote attackers
  to inject arbitrary web script or HTML via a gopher URI that uses single
  quote characters to delimit a literal string within an XSS sequence, a
  related issue to CVE-2007-5415.

CVE-2007-5415 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5415):
  Cross-site scripting (XSS) vulnerability in Mozilla Firefox 2.0, when UTF-7
  document content is rendered directly in UTF-7, allows remote attackers to
  inject arbitrary web script or HTML via a gopher URI that uses '/' (slash)
  characters to delimit a literal string within an XSS sequence, a related
  issue to CVE-2007-5414.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-07 22:34:59 UTC 
mozilla, any clue if the second vulnerability was fixed?
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2008-05-13 16:14:15 UTC 
No idea, there aren't any bugs upstream.
Comment 3 Julio Jimenez S 2008-11-14 16:11:36 UTC 
CVE-2007-5414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5414) got fixed in 2.0.0.18 ( http://www.mozilla.org/security/announce/2008/mfsa2008-50.html )
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-03-05 23:50:20 UTC 
Ready to vote, I vote NO.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-04-04 14:15:06 UTC 
(In reply to comment #3)
> CVE-2007-5414 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5414) got fixed in
> 2.0.0.18 ( http://www.mozilla.org/security/announce/2008/mfsa2008-50.html )

Do you have any data to substantiate this?
Comment 6 Jory A. Pratt gentoo-dev 2010-09-16 12:57:30 UTC 
Nothing for mozilla team to do here.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2011-12-13 19:33:38 UTC 
noglsa.

http://security-tracker.debian.org/tracker/CVE-2007-5414 lists no recent versions as affected