From: | Stefan Cornelius <dercorny@g.o> |
---|---|
To: | gentoo-announce@g.o |
Cc: | bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com |
Subject: | [gentoo-announce] [ GLSA 200608-02 ] Mozilla SeaMonkey: Multiple vulnerabilities |
Date: | Thu, 03 Aug 2006 18:24:46 |
Message-Id: | 200608032022.54999.dercorny@gentoo.org |
1 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 | Gentoo Linux Security Advisory GLSA 200608-02 |
3 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 | http://security.gentoo.org/ |
5 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 | |
7 | Severity: Normal |
8 | Title: Mozilla SeaMonkey: Multiple vulnerabilities |
9 | Date: August 03, 2006 |
10 | Bugs: #141842 |
11 | ID: 200608-02 |
12 | |
13 | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 | |
15 | Synopsis |
16 | ======== |
17 | |
18 | The Mozilla Foundation has reported numerous security vulnerabilities |
19 | related to Mozilla SeaMonkey. |
20 | |
21 | Background |
22 | ========== |
23 | |
24 | The Mozilla SeaMonkey project is a community effort to deliver |
25 | production-quality releases of code derived from the application |
26 | formerly known as "Mozilla Application Suite". |
27 | |
28 | Affected packages |
29 | ================= |
30 | |
31 | ------------------------------------------------------------------- |
32 | Package / Vulnerable / Unaffected |
33 | ------------------------------------------------------------------- |
34 | 1 www-client/seamonkey < 1.0.3 >= 1.0.3 |
35 | |
36 | Description |
37 | =========== |
38 | |
39 | The following vulnerabilities have been reported: |
40 | |
41 | * Benjamin Smedberg discovered that chrome URL's could be made to |
42 | reference remote files. |
43 | |
44 | * Developers in the Mozilla community looked for and fixed several |
45 | crash bugs to improve the stability of Mozilla clients, which could |
46 | lead to the execution of arbitrary code by a remote attacker. |
47 | |
48 | * "shutdown" reports that cross-site scripting (XSS) attacks could be |
49 | performed using the construct XPCNativeWrapper(window).Function(...), |
50 | which created a function that appeared to belong to the window in |
51 | question even after it had been navigated to the target site. |
52 | |
53 | * "shutdown" reports that scripts granting the UniversalBrowserRead |
54 | privilege can leverage that into the equivalent of the far more |
55 | powerful UniversalXPConnect since they are allowed to "read" into a |
56 | privileged context. |
57 | |
58 | * "moz_bug_r_a4" reports that A malicious Proxy AutoConfig (PAC) |
59 | server could serve a PAC script that can execute code with elevated |
60 | privileges by setting the required FindProxyForURL function to the |
61 | eval method on a privileged object that leaked into the PAC sandbox. |
62 | |
63 | * "moz_bug_r_a4" discovered that Named JavaScript functions have a |
64 | parent object created using the standard Object() constructor |
65 | (ECMA-specified behavior) and that this constructor can be redefined |
66 | by script (also ECMA-specified behavior). |
67 | |
68 | * Igor Bukanov and shutdown found additional places where an untimely |
69 | garbage collection could delete a temporary object that was in active |
70 | use. |
71 | |
72 | * Georgi Guninski found potential integer overflow issues with long |
73 | strings in the toSource() methods of the Object, Array and String |
74 | objects as well as string function arguments. |
75 | |
76 | * H. D. Moore reported a testcase that was able to trigger a race |
77 | condition where JavaScript garbage collection deleted a temporary |
78 | variable still being used in the creation of a new Function object. |
79 | |
80 | * A malicious page can hijack native DOM methods on a document object |
81 | in another domain, which will run the attacker's script when called |
82 | by the victim page. |
83 | |
84 | * Secunia Research has discovered a vulnerability which is caused due |
85 | to an memory corruption error within the handling of simultaneously |
86 | happening XPCOM events. This leads to use of a deleted timer object. |
87 | |
88 | * An anonymous researcher for TippingPoint and the Zero Day |
89 | Initiative showed that when used in a web page Java would reference |
90 | properties of the window.navigator object as it started up. |
91 | |
92 | * Thilo Girmann discovered that in certain circumstances a JavaScript |
93 | reference to a frame or window was not properly cleared when the |
94 | referenced content went away. |
95 | |
96 | Impact |
97 | ====== |
98 | |
99 | A user can be enticed to open specially crafted URLs, visit webpages |
100 | containing malicious JavaScript or execute a specially crafted script. |
101 | These events could lead to the execution of arbitrary code, or the |
102 | installation of malware on the user's computer. |
103 | |
104 | Workaround |
105 | ========== |
106 | |
107 | There is no known workaround at this time. |
108 | |
109 | Resolution |
110 | ========== |
111 | |
112 | All Thunderbird users should upgrade to the latest version: |
113 | |
114 | # emerge --sync |
115 | # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.3" |
116 | |
117 | References |
118 | ========== |
119 | |
120 | [ 1 ] CVE-2006-3113 |
121 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113 |
122 | [ 2 ] CVE-2006-3677 |
123 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677 |
124 | [ 3 ] CVE-2006-3801 |
125 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801 |
126 | [ 4 ] CVE-2006-3802 |
127 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802 |
128 | [ 5 ] CVE-2006-3803 |
129 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803 |
130 | [ 6 ] CVE-2006-3804 |
131 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804 |
132 | [ 7 ] CVE-2006-3805 |
133 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805 |
134 | [ 8 ] CVE-2006-3806 |
135 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806 |
136 | [ 9 ] CVE-2006-3807 |
137 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807 |
138 | [ 10 ] CVE-2006-3808 |
139 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808 |
140 | [ 11 ] CVE-2006-3809 |
141 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809 |
142 | [ 12 ] CVE-2006-3810 |
143 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810 |
144 | [ 13 ] CVE-2006-3811 |
145 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811 |
146 | [ 14 ] CVE-2006-3812 |
147 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812 |
148 | |
149 | Availability |
150 | ============ |
151 | |
152 | This GLSA and any updates to it are available for viewing at |
153 | the Gentoo Security Website: |
154 | |
155 | http://security.gentoo.org/glsa/glsa-200608-02.xml |
156 | |
157 | Concerns? |
158 | ========= |
159 | |
160 | Security is a primary focus of Gentoo Linux and ensuring the |
161 | confidentiality and security of our users machines is of utmost |
162 | importance to us. Any security concerns should be addressed to |
163 | security@g.o or alternatively, you may file a bug at |
164 | http://bugs.gentoo.org. |
165 | |
166 | License |
167 | ======= |
168 | |
169 | Copyright 2006 Gentoo Foundation, Inc; referenced text |
170 | belongs to its owner(s). |
171 | |
172 | The contents of this document are licensed under the |
173 | Creative Commons - Attribution / Share Alike license. |
174 | |
175 | http://creativecommons.org/licenses/by-sa/2.5 |