Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 208128 - www-client/mozilla-firefox < 2.0.0.12 +others Multiple vulnerabilities (CVE-2008-{0304,0412,0413,0414,0415,0416,0417,0418,0419,0420,0591,0592,0593,0594})
Summary: www-client/mozilla-firefox < 2.0.0.12 +others Multiple vulnerabilities (CVE-2...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa]
Keywords:
: 211602 (view as bug list)
Depends on:
Blocks: CVE-2007-3073
  Show dependency tree
 
Reported: 2008-01-30 01:50 UTC by Robert Buchholz (RETIRED)
Modified: 2012-02-09 15:03 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
seamonkey-1.1.7-to-1.1.8-patchupdates.diff (seamonkey-1.1.7-to-1.1.8-patchupdates.diff,854 bytes, patch)
2008-02-08 11:36 UTC, Lars Wendler (Polynomial-C)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-01-30 01:50:43 UTC
Quoting:
A vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present resulting in potential information disclosure.

An attacker can use this vulnerability to collect session information, including session cookies and session history.  Firefox is not vulnerable by default.  

Based on this new information Mozilla has changed the security severity rating to high.  A fix is included in Firefox 2.0.0.12 which be available shortly.

References:
http://blog.mozilla.com/security/2008/01/22/chrome-protocol-directory-traversal/
http://blog.mozilla.com/security/2008/01/29/status-update-for-chrome-protocol-directory-traversal-issue/
https://bugzilla.mozilla.org/show_bug.cgi?id=413250
https://bugzilla.mozilla.org/show_bug.cgi?id=413451
http://www.hiredhacker.com/2008/01/19/firefox-chrome-url-handling-directory-traversal/
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-01-30 01:51:55 UTC
I assume this also affects Linux, but the POC is for Windows only.
Mozilla herd, can you advise here? Otherwise, we'd have to dig into that.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2008-01-30 14:14:28 UTC
I've been told this affects Linux as well, a release is expected for monday.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-01-30 15:50:09 UTC
Thanks, let's wait then.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2008-02-08 09:21:44 UTC
Hi,

www-client/seamonkey is also affected by this. Should seamonkey get its own bugreport or can someone add seamonkey to this bug?
firefox-2.0.0.12 and seamonkey-1.1.8 have been released and both contain fixes for this bug.
List of fixes for firefox:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#firefox2.0.0.12
List of fixes for saeamonkey:
http://www.mozilla.org/projects/security/known-vulnerabilities.html#seamonkey1.1.8

Cheers
Poly-C
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2008-02-08 11:36:14 UTC
Created attachment 142973 [details, diff]
seamonkey-1.1.7-to-1.1.8-patchupdates.diff

This diff is for the seamonkey-1.1.7-patches-05 patchset so that the patchset can be used for seamonkey-1.1.8
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2008-02-08 13:58:12 UTC
net-libs/xulrunner-1.8.1.12
www-client/mozilla-firefox[-bin]-2.0.0.12
www-client/seamonkey[-bin]-1.1.8

in the tree
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2008-02-08 15:34:10 UTC
Arches, please test and mark stable:
=www-client/mozilla-firefox-2.0.0.12
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 release sparc x86"

=www-client/mozilla-firefox-bin-2.0.0.12
Target keywords : "amd64 release x86"

=www-client/seamonkey-1.1.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"

=www-client/seamonkey-bin-1.1.8
Target keywords : "amd64 release x86"

=net-libs/xulrunner-1.8.1.12
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release sparc x86"
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2008-02-08 15:50:32 UTC
alpha/ia64/sparc stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2008-02-08 18:01:32 UTC
powerpc done
Comment 10 Dawid Węgliński (RETIRED) gentoo-dev 2008-02-08 18:28:57 UTC
x86 stable
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-08 19:39:10 UTC
readding x86, only firefox non-bin has been marked stable....seamonkey, xulrunner are still missing.
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-02-08 22:30:11 UTC
x86 stable
Comment 13 Jeroen Roovers gentoo-dev 2008-02-09 13:19:57 UTC
Stable for HPPA:
> =www-client/mozilla-firefox-2.0.0.12
> =www-client/seamonkey-1.1.8
> =net-libs/xulrunner-1.8.1.12
Comment 14 Angelo Arrifano (RETIRED) gentoo-dev 2008-02-11 01:58:31 UTC
net-libs/xulrunner-1.8.1.12  USE="java -debug -gnome -ipv6 -xinerama -xprint"

* Emerges on AMD64.
* Works with mplayerplug-in.

www-client/seamonkey-1.1.8  USE="crypt -debug -gnome -ipv6 -java -ldap -mozdevelop -moznocompose -moznoirc -moznomail -moznopango -moznoroaming -postgres -xforms -xinerama -xprint"

* Emerges on AMD64.
* Works!

- -
Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-gentoo-r3 x86_64)
=================================================================
System uname: 2.6.23-gentoo-r3 x86_64 AMD Turion(tm) 64 X2 Mobile Technology TL-56
Timestamp of tree: Sun, 10 Feb 2008 23:30:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -Os -msse3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/bind"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=k8 -Os -msse3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://213.186.33.37/gentoo-distfiles/"
LANG="en_US"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acpi alsa amd64 amr amrnb amrwb bash-completion berkdb bitmap-fonts branding bzip2 cairo cli cracklib crypt cups dbus divx doc dvd dvdr emerald fam ffmpeg firefox flac fortran gd gdbm gif glade glib glitz gtk gtkspell hal hddtemp iconv imagemagick insecure-savers isdnlog javascript jpeg jpeg2k kqemu libcaca libnotify midi mmx mmxext mp2 mp3 mp4 mpeg mplayer mudflap musicbrainz mysql ncurses nls nptl nptlonly offensive ogg opengl openmp pam pcre png pppd python quicktime readline realmedia reflection samba sdl session smp spell spl sse sse2 ssl stream svg syslog taglib tcpd threads truetype truetype-fonts type1 type1-fonts unicode v4l v4l2 vhosts vim-syntax vorbis wifi wmp xcomposite xorg xosd xpm xscreensaver xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev synaptics joystick" KERNEL="linux" LCD_DEVICES="xosd" USERLAND="GNU" VIDEO_CARDS="nv nvidia none"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 15 Olivier Crete (RETIRED) gentoo-dev 2008-02-11 02:03:53 UTC
amd64 done
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2008-02-12 17:35:44 UTC
CVE-2008-0412:
         The browser engine in Mozilla Firefox before 2.0.0.12, Thunderbird
         before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to
         cause a denial of service (crash) and possibly trigger memory
         corruption via vectors related to the (1)
         nsTableFrame::GetFrameAtOrBefore, (2)
         nsAccessibilityService::GetAccessible, (3)
         nsBindingManager::GetNestedInsertionPoint, (4)
         nsXBLPrototypeBinding::AttributeChanged, (5)
         nsColumnSetFrame::GetContentInsertionFrame, and (6)
         nsLineLayout::TrimTrailingWhiteSpaceIn methods, and other vectors.
CVE-2008-0413:
         The JavaScript engine in Mozilla Firefox before 2.0.0.12, Thunderbird
         before 2.0.0.12, and SeaMonkey before 1.1.8 allows remote attackers to
         cause a denial of service (crash) and possibly trigger memory
         corruption via (1) a large switch statement, (2) certain uses of watch
         and eval, (3) certain uses of the mousedown event listener, and other
         vectors.
CVE-2008-0414:
         Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows
         user-assisted remote attackers to trick the user into uploading
         arbitrary files via label tags that shift focus to a file input field,
         aka "focus spoofing."
CVE-2008-0415:
         Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and
         SeaMonkey before 1.1.8 allows remote attackers to execute script
         outside of the sandbox and conduct cross-site scripting (XSS) attacks
         via multiple vectors including the XMLDocument.load function, aka
         "JavaScript privilege escalation bugs."
CVE-2008-0417:
         CRLF injection vulnerability in Mozilla Firefox before 2.0.0.12 allows
         remote user-assisted web sites to corrupt the user's password store
         via newlines that are not properly handled when the user saves a
         password.
CVE-2008-0418:
         Directory traversal vulnerability in Mozilla Firefox before 2.0.0.12,
         Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8, when using
         "flat" addons, allows remote attackers to read arbitrary Javascript,
         image, and stylesheet files via the chrome: URI scheme, as
         demonstrated by stealing session information from sessionstore.js.
CVE-2008-0419:
         Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows
         remote attackers to steal navigation history and cause a denial of
         service (crash) via images in a page that uses designMode frames,
         which triggers memory corruption related to resize handles.
CVE-2008-0591:
         Mozilla Firefox before 2.0.0.12 and Thunderbird before 2.0.0.12 allows
         user-assisted remote attackers to cause users to confirm a
         timer-enabled security dialog by using a timer to change the window
         focus.
CVE-2008-0592:
         Mozilla Firefox before 2.0.0.12 and SeaMonkey before 1.1.8 allows
         user-assisted remote attackers to cause a denial of service via a
         plain .txt file with a "Content-Disposition: attachment" and an
         invalid "Content-Type: plain/text," which prevents Firefox from
         rendering future plain text files within the browser.
CVE-2008-0593:
         Gecko-based browsers, including Mozilla Firefox before 2.0.0.12 and
         SeaMonkey before 1.1.8, modifies the .href property of stylesheet DOM
         nodes to the final URI of a 302 redirect, which might allow remote
         attackers to bypass the Same Origin Policy and read sensitive
         information from the original URL, such as with Single-Signon systems.
CVE-2008-0594:
         Mozilla Firefox before 2.0.0.12 does not always display a web forgery
         warning dialog if the entire contents of a web page are in a DIV tag
         that uses absolute positioning, which makes it easier for remote
         attackers to conduct phishing attacks.
Comment 17 Peter Volkov (RETIRED) gentoo-dev 2008-02-23 17:51:38 UTC
Updated in release snapshot.
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2008-02-27 14:15:28 UTC
Thunderbird-2.0.0.12 is in the tree
Comment 19 Raúl Porcel (RETIRED) gentoo-dev 2008-02-28 13:55:30 UTC
Okay, arches please do:
=mail-client/mozilla-thunderbird-2.0.0.12
=mail-client/mozilla-thunderbird-bin-2.0.0.12

And it's dep:
=x11-plugins/enigmail-0.95.6-r2

Thanks
Comment 20 Markus Meier gentoo-dev 2008-02-28 20:02:25 UTC
x86 stable
Comment 21 Brent Baude (RETIRED) gentoo-dev 2008-02-29 03:09:18 UTC
ppc64 done
Comment 22 Raúl Porcel (RETIRED) gentoo-dev 2008-02-29 10:28:35 UTC
Adding release
Comment 23 Richard Freeman gentoo-dev 2008-03-01 14:01:20 UTC
amd64 done
Comment 24 Lars Weiler (RETIRED) gentoo-dev 2008-03-01 21:23:53 UTC
ppc stable
Comment 25 Ryan Hill (RETIRED) gentoo-dev 2008-03-01 22:19:32 UTC
mips is going all ~arch.
Comment 26 Peter Volkov (RETIRED) gentoo-dev 2008-03-02 08:24:10 UTC
www-client/seamonkey, www-client/seamonkey-bin, www-client/mozilla-firefox, www-client/mozilla-firefox-bin, net-libs/xulrunner, x11-plugins/enigmail, mail-client/mozilla-thunderbird, mail-client/mozilla-thunderbird-bin are updated in release snapshot.
Comment 27 Lars Weiler (RETIRED) gentoo-dev 2008-03-02 10:37:26 UTC
Other apps than firefox finally stable on ppc.
Comment 28 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 01:24:50 UTC
CVE-2008-0304 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0304):
  Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and
  SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code
  via a crafted external-body MIME type in an e-mail message, related to an
  incorrect memory allocation during message preview.
Comment 29 Robert Buchholz (RETIRED) gentoo-dev 2008-03-03 01:59:59 UTC
*** Bug 211602 has been marked as a duplicate of this bug. ***
Comment 30 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 02:56:10 UTC
CVE-2008-0420:
modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp in Mozilla Firefox before 2.0.0.12, Thunderbird before 2.0.0.12, and SeaMonkey before 1.1.8 does not properly perform certain calculations related to the mColors table, which allows remote attackers to read portions of memory uninitialized via a crafted 8-bit bitmap (BMP) file that triggers an out-of-bounds read within the heap, as demonstrated using a CANVAS element; or cause a denial of service (application crash) via a crafted 8-bit bitmap file that triggers an out-of-bounds read. NOTE: the initial public reports stated that this affected Firefox in Ubuntu 6.06 through 7.10.
Comment 31 Robert Buchholz (RETIRED) gentoo-dev 2008-03-27 03:13:08 UTC
CVE-2008-0416 was also fixed in .12, see http://www.mozilla.org/security/announce/2008/mfsa2008-13.html
Comment 32 Robert Buchholz (RETIRED) gentoo-dev 2008-05-20 21:19:53 UTC
GLSA 200805-18, sorry for the delay.