Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 86148 - www-client/mozilla-firefox*: 1.0.2 fixes several vulnerabilities
Summary: www-client/mozilla-firefox*: 1.0.2 fixes several vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] koon
: 86408 (view as bug list)
Depends on:
Reported: 2005-03-21 09:23 UTC by Thierry Carrez (RETIRED)
Modified: 2005-03-25 05:20 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-03-21 09:23:38 UTC
Release is set to around Wednesday 2005-03-23 1000PST. Brad should be around to push them in Portage. No complete details of what is fixed yet.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-03-22 00:45:44 UTC
Mozilla Foundation Security Advisory 2005-32 (CAN-2005-0401)
Title: Drag and drop loading of privileged XUL
Severity: Low
Risk: Moderate
Reporter: Michael Krax
Fixed in: Firefox 1.0.2, Mozilla Suite 1.7.6
A malicious page that could lure a user into dragging something (such as a fake scrollbar) can bypass the restriction on opening privileged XUL. The startup scripts in the XUL will run with enhanced privilege, though the actions taken upon merely opening most XUL are benign. So far no way to run arbitrary code supplied by the attacker has been found, but this could be a stepping-stone to future attacks. 
Workaround: Disable Javascript. Upgrade to the fixed version. 
Mozilla Foundation Security Advisory 2005-30 (CAN-2005-0399)
Title: GIF heap overflow parsing Netscape extension 2
Severity: Critical
Risk: High
Reporter: Mark Dowd (ISS X-Force)
Fixed in: Firefox 1.0.2, Thunderbird 1.0.2, Mozilla Suite 1.7.6
An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine. 
Workaround: Turn off image display. Upgrade to the fixed version. 
Mozilla Foundation Security Advisory 2005-31 (CAN-2005-0402)
Title: Arbitrary code execution from Firefox sidebar panel
Severity: Critical
Risk: Moderate
Reporter: Kohei Yoshino
Fixed in: Firefox 1.0.2
If a user bookmarked a malicious page as a Firefox sidebar panel that page could execute arbitrary programs by opening a privileged page and injecting javascript into it. 
Workaround: Do not add sidebar panels. Upgrade to fixed version 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-03-23 11:27:14 UTC
It's out.
Mozilla team, please bump !
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2005-03-23 11:27:37 UTC
*** Bug 86408 has been marked as a duplicate of this bug. ***
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-03-23 13:37:29 UTC
mozilla-firefox-1.0.2 is in
arches, please test and mark stable if possible
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-03-24 01:35:23 UTC
Arches please test and mark stable:

mozilla-firefox-1.0.2: alpha amd64 arm hppa ia64 ppc sparc
mozilla-firefox-bin-1.0.2: amd64
Comment 6 Marcus D. Hanwell (RETIRED) gentoo-dev 2005-03-24 04:30:20 UTC
mozilla-firefox-1.0.2 stable on amd64.
Comment 7 Luca Barbato gentoo-dev 2005-03-24 16:36:42 UTC
ppc stable
Comment 8 Jason Wever (RETIRED) gentoo-dev 2005-03-24 19:23:29 UTC
Stable on SPARC.
Comment 9 SpanKY gentoo-dev 2005-03-24 22:58:05 UTC
marked arm/hppa stable ... alpha/ia64 was already done
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-03-25 00:40:09 UTC
amd64: please mark mozilla-firefox-bin-1.0.2 stable
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2005-03-25 02:57:40 UTC
amd64 done
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-03-25 05:20:36 UTC
GLSA 200503-31