See: http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0123.html http://www.securityfocus.com/archive/1/397747/2005-05-05/2005-05-11/0
Mozilla please advise.
Updates (solution?) from Secunia: Mozilla Firefox is prone to a security vulnerability that could result in the execution of arbitrary code without requiring user interaction. Initial analysis of the vulnerability reveals that the vulnerability relies on a three-stage attack that may lead to an arbitrary script gaining 'UniversalXPConnect' privileges. It was observed that this issue might be exploited remotely to take privileged actions on the vulnerable computer in the context of the user that is running the affected browser. This vulnerability is reported in all versions of Mozilla Firefox browsers up to 1.0.3. *Update: The cross-site scripting vulnerability that the publicly available exploit relied on in the mozilla.org domain has been fixed. This issue is no longer exploitable through this public attack vector. Workaround: Symantec has tested the following workaround that can be used to prevent exploitation of this issue. Disable JavaScript: -In the Firefox 'Tools' Menu, select 'Options'. -Select the 'Web Features' dialog. -Uncheck the 'Enable JavaScript' check box. -Click the OK button. http://www.securityfocus.com/bid/13544
Sorry, the last one was from securityfocus. However, secunia has this update: Description: Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system. 1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site. 2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL. Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org"). A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code. NOTE: Exploit code is publicly available. The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected. Solution: Disable JavaScript. http://secunia.com/advisories/15292/
Mozilla is also vulnerable http://secunia.com/advisories/15296/
Should we issue a temp GLSA on this?
Ubuntu released patches: https://www.ubuntulinux.org/support/documentation/usn/usn-124-1 Mozilla please provide an updated ebuild.
*** Bug 92321 has been marked as a duplicate of this bug. ***
Final 1.0.4 has been released by mozilla.
1.0.4 added for www-client/mozilla-firefox bin has not been bumped as of yet.
I marked for ~arch only all archs need to be added and push for stable as soon as possible seeing all other versions are effected still.
1.0.4-bin is in the TREE mark stable as soon as possible.
Thx Jory. Arches please test and mark stable.
Mozilla we still need an ebuild for Mozilla Suite 1.7.8.
Two more issues added: http://www.mozilla.org/security/announce/mfsa2005-43.html http://www.mozilla.org/security/announce/mfsa2005-44.html And the original one: http://www.mozilla.org/security/announce/mfsa2005-42.html
CANs are available too: CAN-2005-1476, CAN-2005-1477
mozilla-firefox-1.0.4 stable on ppc. Should we stay in this bug for the Mozilla Suite or will it be another bug?
stabled on amd64
firefox-1.0.4 sparc stable, waiting for regular moz.
mozilla-1.7.8 and mozilla-bin-1.7.8 are now in portage
Thx Aron, amd64 and sparc please mark Mozilla stable.
*** Bug 92393 has been marked as a duplicate of this bug. ***
Handling stable marking for firefox on bug #92393 and mozilla-suite on bug #92394.
Dependencies done for ppc. Removing from this bug.
Please followup to bug 92393 and bug 92394.
GLSA 200505-11
Already stable on hppa