Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 95199 - www-client/mozilla-firefox{-bin} 1.0.5 fixes multiple vulnerabilities
Summary: www-client/mozilla-firefox{-bin} 1.0.5 fixes multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Other
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [glsa] koon
Keywords:
: 98838 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-06-06 04:29 UTC by Aarni Honka
Modified: 2005-08-15 21:40 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aarni Honka 2005-06-06 04:29:19 UTC
TITLE:
Mozilla / Mozilla Firefox Frame Injection Vulnerability

SECUNIA ADVISORY ID:
SA15601

VERIFY ADVISORY:
http://secunia.com/advisories/15601/

CRITICAL:
Moderately critical

IMPACT:
Spoofing

WHERE:
From remote

SOFTWARE:
Mozilla Firefox 1.x
http://secunia.com/product/4227/
Mozilla 1.7.x
http://secunia.com/product/3691/

DESCRIPTION:
A seven year old vulnerability has been re-introduced in Mozilla and
Firefox, which can be exploited by malicious people to spoof the
contents of web sites.

For more information:
SA11978

Secunia has constructed a test, which can be used to check if your
browser is affected:
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

The vulnerability has been confirmed in Firefox 1.0.4 and Mozilla
1.7.8. Other versions may also be affected.

SOLUTION:
Do not browse untrusted web sites while browsing trusted sites.

PROVIDED AND/OR DISCOVERED BY:
Reported in Firefox by:
brainsoft

OTHER REFERENCES:
SA11978:
http://secunia.com/advisories/11978/
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-06-24 05:36:22 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=296850

Was fixed by bug 246448 in Mozilla 1.7 and remained fixed through Firefox 1.0.2
Firefox 1.0.3 and Mozilla 1.7.7 are vulnerable again

Fixed on trunk and branches as of 2005-06-08.
Waiting for a release.
Comment 2 Stefan Cornelius (RETIRED) gentoo-dev 2005-07-12 21:28:31 UTC
Mozilla released a new version today, this and several other (also critical)
vulnerabilities seem to be fixed in 1.0.5.
http://www.mozilla.org/projects/security/known-vulnerabilities.html#Firefox
Comment 3 Jory A. Pratt 2005-07-12 22:42:56 UTC
firefox-1.0.5 binary ebuild update. Will bump source as soon as mirrors are
seeded and we have a download for it.
Comment 4 Tobias Sager 2005-07-13 00:40:29 UTC
See also bug 98846.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-07-13 01:00:00 UTC
OK... Organizing stuff, this one is for the Firefox issues :

Fixed in Firefox 1.0.5
 MFSA 2005-56 Code execution through shared function objects
 MFSA 2005-55 XHTML node spoofing
 MFSA 2005-54 Javascript prompt origin spoofing
 MFSA 2005-53 Standalone applications can run arbitrary code through the browser
 MFSA 2005-52 Same origin violation: frame calling top.focus()
 MFSA 2005-51 The return of frame-injection spoofing
 MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
 MFSA 2005-49 Script injection from Firefox sidebar panel using data:
 MFSA 2005-48 Same-origin violation with InstallTrigger callback
 MFSA 2005-47 Code execution via "Set as Wallpaper"
 MFSA 2005-46 XBL scripts ran even when Javascript disabled
 MFSA 2005-45 Content-generated event vulnerabilities

Waiting for the source ebuild.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2005-07-13 02:34:09 UTC
*** Bug 98838 has been marked as a duplicate of this bug. ***
Comment 7 Giacomo Perale 2005-07-13 03:19:12 UTC
Any chance to see the enhancements of bug #86070 in the new firefox ebuild?
Comment 8 Jory A. Pratt 2005-07-13 09:24:57 UTC
this is a security bump no time to add enhancemen. Source build is in portage
when security team is ready we can call for archs to stabilize.
Comment 9 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-13 09:52:46 UTC
Arches please test and mark stable.  
  
Target keywords:  
  
mozilla-firefox-1.0.5: alpha amd64 arm hppa ia64 ppc sparc x86  
mozilla-firefox-bin-1.0.5: -* x86 amd64 
Comment 10 Jory A. Pratt 2005-07-13 10:29:49 UTC
Stable on PPC
Comment 11 Herbie Hopkins (RETIRED) gentoo-dev 2005-07-13 14:00:46 UTC
mozilla-firefox{,-bin} stable on amd64
Comment 12 Gustavo Zacarias (RETIRED) gentoo-dev 2005-07-13 14:14:03 UTC
sparc stable.
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2005-07-14 08:46:29 UTC
Stable on hppa.
Comment 14 Bryan Østergaard (RETIRED) gentoo-dev 2005-07-14 13:34:38 UTC
Stable on alpha + ia64.
Comment 15 Aron Griffis (RETIRED) gentoo-dev 2005-07-14 14:57:11 UTC
stable on x86
Comment 16 Sebastian 2005-07-14 22:21:40 UTC
Wouldn't it be a good idea to add a glsa so that hopefully all users will update?

Cheers

Sebastian
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2005-07-14 22:31:45 UTC
This one is ready for GLSA. 
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-07-15 01:37:31 UTC
GLSA 200507-14
arm should mark stable to benefit from GLSA