1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200503-30 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Mozilla Suite: Multiple vulnerabilities |
9 |
Date: March 25, 2005 |
10 |
Bugs: #84074 |
11 |
ID: 200503-30 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
The Mozilla Suite is vulnerable to multiple issues ranging from the |
19 |
remote execution of arbitrary code to various issues allowing to trick |
20 |
the user into trusting fake web sites or interacting with privileged |
21 |
content. |
22 |
|
23 |
Background |
24 |
========== |
25 |
|
26 |
The Mozilla Suite is a popular all-in-one web browser that includes a |
27 |
mail and news reader. |
28 |
|
29 |
Affected packages |
30 |
================= |
31 |
|
32 |
------------------------------------------------------------------- |
33 |
Package / Vulnerable / Unaffected |
34 |
------------------------------------------------------------------- |
35 |
1 www-client/mozilla < 1.7.6 >= 1.7.6 |
36 |
2 www-client/mozilla-bin < 1.7.6 >= 1.7.6 |
37 |
------------------------------------------------------------------- |
38 |
2 affected packages on all of their supported architectures. |
39 |
------------------------------------------------------------------- |
40 |
|
41 |
Description |
42 |
=========== |
43 |
|
44 |
The following vulnerabilities were found and fixed in the Mozilla |
45 |
Suite: |
46 |
|
47 |
* Mark Dowd from ISS X-Force reported an exploitable heap overrun in |
48 |
the GIF processing of obsolete Netscape extension 2 (CAN-2005-0399) |
49 |
|
50 |
* Michael Krax reported that plugins can be used to load privileged |
51 |
content and trick the user to interact with it (CAN-2005-0232, |
52 |
CAN-2005-0527) |
53 |
|
54 |
* Michael Krax also reported potential spoofing or |
55 |
cross-site-scripting issues through overlapping windows, image or |
56 |
scrollbar drag-and-drop, and by dropping javascript: links on tabs |
57 |
(CAN-2005-0230, CAN-2005-0231, CAN-2005-0401, CAN-2005-0591) |
58 |
|
59 |
* Daniel de Wildt and Gael Delalleau discovered a memory overwrite in |
60 |
a string library (CAN-2005-0255) |
61 |
|
62 |
* Wind Li discovered a possible heap overflow in UTF8 to Unicode |
63 |
conversion (CAN-2005-0592) |
64 |
|
65 |
* Eric Johanson reported that Internationalized Domain Name (IDN) |
66 |
features allow homograph attacks (CAN-2005-0233) |
67 |
|
68 |
* Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various |
69 |
ways of spoofing the SSL "secure site" indicator (CAN-2005-0593) |
70 |
|
71 |
* Georgi Guninski discovered that XSLT can include stylesheets from |
72 |
arbitrary hosts (CAN-2005-0588) |
73 |
|
74 |
* Secunia discovered a way of injecting content into a popup opened |
75 |
by another website (CAN-2004-1156) |
76 |
|
77 |
* Phil Ringnalda reported a possible way to spoof Install source with |
78 |
user:pass@host (CAN-2005-0590) |
79 |
|
80 |
* Jakob Balle from Secunia discovered a possible way of spoofing the |
81 |
Download dialog source (CAN-2005-0585) |
82 |
|
83 |
* Christian Schmidt reported a potential spoofing issue in HTTP auth |
84 |
prompt tab (CAN-2005-0584) |
85 |
|
86 |
* Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team |
87 |
discovered that Mozilla insecurely creates temporary filenames in |
88 |
/tmp/plugtmp (CAN-2005-0578) |
89 |
|
90 |
Impact |
91 |
====== |
92 |
|
93 |
* The GIF heap overflow could be triggered by a malicious GIF image |
94 |
that would end up executing arbitrary code with the rights of the |
95 |
user running Mozilla. The other overflow issues, while not thought to |
96 |
be exploitable, would have the same impact |
97 |
|
98 |
* By setting up malicious websites and convincing users to follow |
99 |
untrusted links or obey very specific drag-and-drop or download |
100 |
instructions, attackers may leverage the various spoofing issues to |
101 |
fake other websites to get access to confidential information, push |
102 |
users to download malicious files or make them interact with their |
103 |
browser preferences |
104 |
|
105 |
* The temporary directory issue allows local attackers to overwrite |
106 |
arbitrary files with the rights of another local user |
107 |
|
108 |
Workaround |
109 |
========== |
110 |
|
111 |
There is no known workaround at this time. |
112 |
|
113 |
Resolution |
114 |
========== |
115 |
|
116 |
All Mozilla Suite users should upgrade to the latest version: |
117 |
|
118 |
# emerge --sync |
119 |
# emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.6" |
120 |
|
121 |
All Mozilla Suite binary users should upgrade to the latest version: |
122 |
|
123 |
# emerge --sync |
124 |
# emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.6" |
125 |
|
126 |
References |
127 |
========== |
128 |
|
129 |
[ 1 ] CAN-2004-1156 |
130 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156 |
131 |
[ 2 ] CAN-2005-0230 |
132 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0230 |
133 |
[ 3 ] CAN-2005-0231 |
134 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231 |
135 |
[ 4 ] CAN-2005-0232 |
136 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232 |
137 |
[ 5 ] CAN-2005-0233 |
138 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0233 |
139 |
[ 6 ] CAN-2005-0255 |
140 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0255 |
141 |
[ 7 ] CAN-2005-0399 |
142 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399 |
143 |
[ 8 ] CAN-2005-0401 |
144 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401 |
145 |
[ 9 ] CAN-2005-0527 |
146 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527 |
147 |
[ 10 ] CAN-2005-0578 |
148 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0578 |
149 |
[ 11 ] CAN-2005-0584 |
150 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584 |
151 |
[ 12 ] CAN-2005-0585 |
152 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0585 |
153 |
[ 13 ] CAN-2005-0588 |
154 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0588 |
155 |
[ 14 ] CAN-2005-0590 |
156 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590 |
157 |
[ 15 ] CAN-2005-0591 |
158 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0591 |
159 |
[ 16 ] CAN-2005-0592 |
160 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0592 |
161 |
[ 17 ] CAN-2005-0593 |
162 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0593 |
163 |
[ 18 ] Mozilla Security Advisories |
164 |
http://www.mozilla.org/projects/security/known-vulnerabilities.html |
165 |
|
166 |
Availability |
167 |
============ |
168 |
|
169 |
This GLSA and any updates to it are available for viewing at |
170 |
the Gentoo Security Website: |
171 |
|
172 |
http://security.gentoo.org/glsa/glsa-200503-30.xml |
173 |
|
174 |
Concerns? |
175 |
========= |
176 |
|
177 |
Security is a primary focus of Gentoo Linux and ensuring the |
178 |
confidentiality and security of our users machines is of utmost |
179 |
importance to us. Any security concerns should be addressed to |
180 |
security@g.o or alternatively, you may file a bug at |
181 |
http://bugs.gentoo.org. |
182 |
|
183 |
License |
184 |
======= |
185 |
|
186 |
Copyright 2005 Gentoo Foundation, Inc; referenced text |
187 |
belongs to its owner(s). |
188 |
|
189 |
The contents of this document are licensed under the |
190 |
Creative Commons - Attribution / Share Alike license. |
191 |
|
192 |
http://creativecommons.org/licenses/by-sa/2.0 |