Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 200505-11 ] Mozilla Suite, Mozilla Firefox: Remote compromise
Date: Sun, 15 May 2005 10:11:03
Message-Id: 200505151211.06791.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200505-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Mozilla Suite, Mozilla Firefox: Remote compromise
9 Date: May 15, 2005
10 Bugs: #91859, #92393, #92394
11 ID: 200505-11
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Several vulnerabilities in the Mozilla Suite and Firefox allow an
19 attacker to conduct cross-site scripting attacks or to execute
20 arbitrary code.
21
22 Background
23 ==========
24
25 The Mozilla Suite is a popular all-in-one web browser that includes a
26 mail and news reader. Mozilla Firefox is the next-generation browser
27 from the Mozilla project.
28
29 Affected packages
30 =================
31
32 -------------------------------------------------------------------
33 Package / Vulnerable / Unaffected
34 -------------------------------------------------------------------
35 1 www-client/mozilla-firefox < 1.0.4 >= 1.0.4
36 2 www-client/mozilla-firefox-bin < 1.0.4 >= 1.0.4
37 3 www-client/mozilla < 1.7.8 >= 1.7.8
38 4 www-client/mozilla-bin < 1.7.8 >= 1.7.8
39 -------------------------------------------------------------------
40 4 affected packages on all of their supported architectures.
41 -------------------------------------------------------------------
42
43 Description
44 ===========
45
46 The Mozilla Suite and Firefox do not properly protect "IFRAME"
47 JavaScript URLs from being executed in context of another URL in the
48 history list (CAN-2005-1476). The Mozilla Suite and Firefox also fail
49 to verify the "IconURL" parameter of the "InstallTrigger.install()"
50 function (CAN-2005-1477). Michael Krax and Georgi Guninski discovered
51 that it is possible to bypass JavaScript-injection security checks by
52 wrapping the javascript: URL within the view-source: or jar:
53 pseudo-protocols (MFSA2005-43).
54
55 Impact
56 ======
57
58 A malicious remote attacker could use the "IFRAME" issue to execute
59 arbitrary JavaScript code within the context of another website,
60 allowing to steal cookies or other sensitive data. By supplying a
61 javascript: URL as the "IconURL" parameter of the
62 "InstallTrigger.Install()" function, a remote attacker could also
63 execute arbitrary JavaScript code. Combining both vulnerabilities with
64 a website which is allowed to install software or wrapping javascript:
65 URLs within the view-source: or jar: pseudo-protocols could possibly
66 lead to the execution of arbitrary code with user privileges.
67
68 Workaround
69 ==========
70
71 Affected systems can be protected by disabling JavaScript. However, we
72 encourage Mozilla Suite or Mozilla Firefox users to upgrade to the
73 latest available version.
74
75 Resolution
76 ==========
77
78 All Mozilla Firefox users should upgrade to the latest version:
79
80 # emerge --sync
81 # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.4"
82
83 All Mozilla Firefox binary users should upgrade to the latest version:
84
85 # emerge --sync
86 # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.4"
87
88 All Mozilla Suite users should upgrade to the latest version:
89
90 # emerge --sync
91 # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.8"
92
93 All Mozilla Suite binary users should upgrade to the latest version:
94
95 # emerge --sync
96 # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.8"
97
98 References
99 ==========
100
101 [ 1 ] CAN-2005-1476
102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1476
103 [ 2 ] CAN-2005-1477
104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1477
105 [ 3 ] Mozilla Foundation Security Advisory 2005-43
106 http://www.mozilla.org/security/announce/mfsa2005-43.html
107
108 Availability
109 ============
110
111 This GLSA and any updates to it are available for viewing at
112 the Gentoo Security Website:
113
114 http://security.gentoo.org/glsa/glsa-200505-11.xml
115
116 Concerns?
117 =========
118
119 Security is a primary focus of Gentoo Linux and ensuring the
120 confidentiality and security of our users machines is of utmost
121 importance to us. Any security concerns should be addressed to
122 security@g.o or alternatively, you may file a bug at
123 http://bugs.gentoo.org.
124
125 License
126 =======
127
128 Copyright 2005 Gentoo Foundation, Inc; referenced text
129 belongs to its owner(s).
130
131 The contents of this document are licensed under the
132 Creative Commons - Attribution / Share Alike license.
133
134 http://creativecommons.org/licenses/by-sa/2.0