TITLE: Mozilla / Mozilla Firefox Frame Injection Vulnerability SECUNIA ADVISORY ID: SA15601 VERIFY ADVISORY: http://secunia.com/advisories/15601/ CRITICAL: Moderately critical IMPACT: Spoofing WHERE: From remote SOFTWARE: Mozilla Firefox 1.x http://secunia.com/product/4227/ Mozilla 1.7.x http://secunia.com/product/3691/ DESCRIPTION: A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites. For more information: SA11978 Secunia has constructed a test, which can be used to check if your browser is affected: http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ The vulnerability has been confirmed in Firefox 1.0.4 and Mozilla 1.7.8. Other versions may also be affected. SOLUTION: Do not browse untrusted web sites while browsing trusted sites. PROVIDED AND/OR DISCOVERED BY: Reported in Firefox by: brainsoft OTHER REFERENCES: SA11978: http://secunia.com/advisories/11978/
https://bugzilla.mozilla.org/show_bug.cgi?id=296850 Was fixed by bug 246448 in Mozilla 1.7 and remained fixed through Firefox 1.0.2 Firefox 1.0.3 and Mozilla 1.7.7 are vulnerable again Fixed on trunk and branches as of 2005-06-08. Waiting for a release.
Mozilla released a new version today, this and several other (also critical) vulnerabilities seem to be fixed in 1.0.5. http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
firefox-1.0.5 binary ebuild update. Will bump source as soon as mirrors are seeded and we have a download for it.
See also bug 98846.
OK... Organizing stuff, this one is for the Firefox issues : Fixed in Firefox 1.0.5 MFSA 2005-56 Code execution through shared function objects MFSA 2005-55 XHTML node spoofing MFSA 2005-54 Javascript prompt origin spoofing MFSA 2005-53 Standalone applications can run arbitrary code through the browser MFSA 2005-52 Same origin violation: frame calling top.focus() MFSA 2005-51 The return of frame-injection spoofing MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo() MFSA 2005-49 Script injection from Firefox sidebar panel using data: MFSA 2005-48 Same-origin violation with InstallTrigger callback MFSA 2005-47 Code execution via "Set as Wallpaper" MFSA 2005-46 XBL scripts ran even when Javascript disabled MFSA 2005-45 Content-generated event vulnerabilities Waiting for the source ebuild.
*** Bug 98838 has been marked as a duplicate of this bug. ***
Any chance to see the enhancements of bug #86070 in the new firefox ebuild?
this is a security bump no time to add enhancemen. Source build is in portage when security team is ready we can call for archs to stabilize.
Arches please test and mark stable. Target keywords: mozilla-firefox-1.0.5: alpha amd64 arm hppa ia64 ppc sparc x86 mozilla-firefox-bin-1.0.5: -* x86 amd64
Stable on PPC
mozilla-firefox{,-bin} stable on amd64
sparc stable.
Stable on hppa.
Stable on alpha + ia64.
stable on x86
Wouldn't it be a good idea to add a glsa so that hopefully all users will update? Cheers Sebastian
This one is ready for GLSA.
GLSA 200507-14 arm should mark stable to benefit from GLSA