Archives
Archives
| From: | Stefan Cornelius <dercorny@g.o> |
|---|---|
| To: | gentoo-announce@g.o |
| Cc: | bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com |
| Subject: | [gentoo-announce] [ GLSA 200608-02 ] Mozilla SeaMonkey: Multiple vulnerabilities |
| Date: | Thu, 03 Aug 2006 18:24:46 |
| Message-Id: | 200608032022.54999.dercorny@gentoo.org |
| 1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 2 | Gentoo Linux Security Advisory GLSA 200608-02 |
| 3 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 4 | http://security.gentoo.org/ |
| 5 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 6 | |
| 7 | Severity: Normal |
| 8 | Title: Mozilla SeaMonkey: Multiple vulnerabilities |
| 9 | Date: August 03, 2006 |
| 10 | Bugs: #141842 |
| 11 | ID: 200608-02 |
| 12 | |
| 13 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 14 | |
| 15 | Synopsis |
| 16 | ======== |
| 17 | |
| 18 | The Mozilla Foundation has reported numerous security vulnerabilities |
| 19 | related to Mozilla SeaMonkey. |
| 20 | |
| 21 | Background |
| 22 | ========== |
| 23 | |
| 24 | The Mozilla SeaMonkey project is a community effort to deliver |
| 25 | production-quality releases of code derived from the application |
| 26 | formerly known as "Mozilla Application Suite". |
| 27 | |
| 28 | Affected packages |
| 29 | ================= |
| 30 | |
| 31 | ------------------------------------------------------------------- |
| 32 | Package / Vulnerable / Unaffected |
| 33 | ------------------------------------------------------------------- |
| 34 | 1 www-client/seamonkey < 1.0.3 >= 1.0.3 |
| 35 | |
| 36 | Description |
| 37 | =========== |
| 38 | |
| 39 | The following vulnerabilities have been reported: |
| 40 | |
| 41 | * Benjamin Smedberg discovered that chrome URL's could be made to |
| 42 | reference remote files. |
| 43 | |
| 44 | * Developers in the Mozilla community looked for and fixed several |
| 45 | crash bugs to improve the stability of Mozilla clients, which could |
| 46 | lead to the execution of arbitrary code by a remote attacker. |
| 47 | |
| 48 | * "shutdown" reports that cross-site scripting (XSS) attacks could be |
| 49 | performed using the construct XPCNativeWrapper(window).Function(...), |
| 50 | which created a function that appeared to belong to the window in |
| 51 | question even after it had been navigated to the target site. |
| 52 | |
| 53 | * "shutdown" reports that scripts granting the UniversalBrowserRead |
| 54 | privilege can leverage that into the equivalent of the far more |
| 55 | powerful UniversalXPConnect since they are allowed to "read" into a |
| 56 | privileged context. |
| 57 | |
| 58 | * "moz_bug_r_a4" reports that A malicious Proxy AutoConfig (PAC) |
| 59 | server could serve a PAC script that can execute code with elevated |
| 60 | privileges by setting the required FindProxyForURL function to the |
| 61 | eval method on a privileged object that leaked into the PAC sandbox. |
| 62 | |
| 63 | * "moz_bug_r_a4" discovered that Named JavaScript functions have a |
| 64 | parent object created using the standard Object() constructor |
| 65 | (ECMA-specified behavior) and that this constructor can be redefined |
| 66 | by script (also ECMA-specified behavior). |
| 67 | |
| 68 | * Igor Bukanov and shutdown found additional places where an untimely |
| 69 | garbage collection could delete a temporary object that was in active |
| 70 | use. |
| 71 | |
| 72 | * Georgi Guninski found potential integer overflow issues with long |
| 73 | strings in the toSource() methods of the Object, Array and String |
| 74 | objects as well as string function arguments. |
| 75 | |
| 76 | * H. D. Moore reported a testcase that was able to trigger a race |
| 77 | condition where JavaScript garbage collection deleted a temporary |
| 78 | variable still being used in the creation of a new Function object. |
| 79 | |
| 80 | * A malicious page can hijack native DOM methods on a document object |
| 81 | in another domain, which will run the attacker's script when called |
| 82 | by the victim page. |
| 83 | |
| 84 | * Secunia Research has discovered a vulnerability which is caused due |
| 85 | to an memory corruption error within the handling of simultaneously |
| 86 | happening XPCOM events. This leads to use of a deleted timer object. |
| 87 | |
| 88 | * An anonymous researcher for TippingPoint and the Zero Day |
| 89 | Initiative showed that when used in a web page Java would reference |
| 90 | properties of the window.navigator object as it started up. |
| 91 | |
| 92 | * Thilo Girmann discovered that in certain circumstances a JavaScript |
| 93 | reference to a frame or window was not properly cleared when the |
| 94 | referenced content went away. |
| 95 | |
| 96 | Impact |
| 97 | ====== |
| 98 | |
| 99 | A user can be enticed to open specially crafted URLs, visit webpages |
| 100 | containing malicious JavaScript or execute a specially crafted script. |
| 101 | These events could lead to the execution of arbitrary code, or the |
| 102 | installation of malware on the user's computer. |
| 103 | |
| 104 | Workaround |
| 105 | ========== |
| 106 | |
| 107 | There is no known workaround at this time. |
| 108 | |
| 109 | Resolution |
| 110 | ========== |
| 111 | |
| 112 | All Thunderbird users should upgrade to the latest version: |
| 113 | |
| 114 | # emerge --sync |
| 115 | # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.3" |
| 116 | |
| 117 | References |
| 118 | ========== |
| 119 | |
| 120 | [ 1 ] CVE-2006-3113 |
| 121 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 |
| 122 | [ 2 ] CVE-2006-3677 |
| 123 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 |
| 124 | [ 3 ] CVE-2006-3801 |
| 125 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 |
| 126 | [ 4 ] CVE-2006-3802 |
| 127 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802 |
| 128 | [ 5 ] CVE-2006-3803 |
| 129 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 |
| 130 | [ 6 ] CVE-2006-3804 |
| 131 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804 |
| 132 | [ 7 ] CVE-2006-3805 |
| 133 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 |
| 134 | [ 8 ] CVE-2006-3806 |
| 135 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 |
| 136 | [ 9 ] CVE-2006-3807 |
| 137 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 |
| 138 | [ 10 ] CVE-2006-3808 |
| 139 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808 |
| 140 | [ 11 ] CVE-2006-3809 |
| 141 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809 |
| 142 | [ 12 ] CVE-2006-3810 |
| 143 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810 |
| 144 | [ 13 ] CVE-2006-3811 |
| 145 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 |
| 146 | [ 14 ] CVE-2006-3812 |
| 147 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812 |
| 148 | |
| 149 | Availability |
| 150 | ============ |
| 151 | |
| 152 | This GLSA and any updates to it are available for viewing at |
| 153 | the Gentoo Security Website: |
| 154 | |
| 155 | http://security.gentoo.org/glsa/glsa-200608-02.xml |
| 156 | |
| 157 | Concerns? |
| 158 | ========= |
| 159 | |
| 160 | Security is a primary focus of Gentoo Linux and ensuring the |
| 161 | confidentiality and security of our users machines is of utmost |
| 162 | importance to us. Any security concerns should be addressed to |
| 163 | security@g.o or alternatively, you may file a bug at |
| 164 | http://bugs.gentoo.org. |
| 165 | |
| 166 | License |
| 167 | ======= |
| 168 | |
| 169 | Copyright 2006 Gentoo Foundation, Inc; referenced text |
| 170 | belongs to its owner(s). |
| 171 | |
| 172 | The contents of this document are licensed under the |
| 173 | Creative Commons - Attribution / Share Alike license. |
| 174 | |
| 175 | http://creativecommons.org/licenses/by-sa/2.5 |