1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200808-03 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Mozilla products: Multiple vulnerabilities |
9 |
Date: August 06, 2008 |
10 |
Bugs: #204337, #218065, #230567, #231975 |
11 |
ID: 200808-03 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Multiple vulnerabilities have been reported in Mozilla Firefox, |
19 |
Thunderbird, SeaMonkey and XULRunner, some of which may allow |
20 |
user-assisted execution of arbitrary code. |
21 |
|
22 |
Background |
23 |
========== |
24 |
|
25 |
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird |
26 |
an open-source email client, both from the Mozilla Project. The |
27 |
SeaMonkey project is a community effort to deliver production-quality |
28 |
releases of code derived from the application formerly known as the |
29 |
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package |
30 |
that can be used to bootstrap XUL+XPCOM applications like Firefox and |
31 |
Thunderbird. |
32 |
|
33 |
Affected packages |
34 |
================= |
35 |
|
36 |
------------------------------------------------------------------- |
37 |
Package / Vulnerable / Unaffected |
38 |
------------------------------------------------------------------- |
39 |
1 mozilla-firefox < 2.0.0.16 >= 2.0.0.16 |
40 |
2 mozilla-firefox-bin < 2.0.0.16 >= 2.0.0.16 |
41 |
3 mozilla-thunderbird < 2.0.0.16 >= 2.0.0.16 |
42 |
4 mozilla-thunderbird-bin < 2.0.0.16 >= 2.0.0.16 |
43 |
5 seamonkey < 1.1.11 >= 1.1.11 |
44 |
6 seamonkey-bin < 1.1.11 >= 1.1.11 |
45 |
7 xulrunner < 1.8.1.16 >= 1.8.1.16 |
46 |
8 xulrunner-bin < 1.8.1.16 >= 1.8.1.16 |
47 |
------------------------------------------------------------------- |
48 |
8 affected packages on all of their supported architectures. |
49 |
------------------------------------------------------------------- |
50 |
|
51 |
Description |
52 |
=========== |
53 |
|
54 |
The following vulnerabilities were reported in all mentioned Mozilla |
55 |
products: |
56 |
|
57 |
* TippingPoint's Zero Day Initiative reported that an incorrect |
58 |
integer data type is used as a CSS object reference counter, leading |
59 |
to a counter overflow and a free() of in-use memory (CVE-2008-2785). |
60 |
|
61 |
* Igor Bukanov, Jesse Ruderman and Gary Kwong reported crashes in the |
62 |
JavaScript engine, possibly triggering memory corruption |
63 |
(CVE-2008-2799). |
64 |
|
65 |
* Devon Hubbard, Jesse Ruderman, and Martijn Wargers reported crashes |
66 |
in the layout engine, possibly triggering memory corruption |
67 |
(CVE-2008-2798). |
68 |
|
69 |
* moz_bug_r_a4 reported that XUL documents that include a script from |
70 |
a chrome: URI that points to a fastload file would be executed with |
71 |
the privileges specified in the file (CVE-2008-2802). |
72 |
|
73 |
* moz_bug_r_a4 reported that the mozIJSSubScriptLoader.LoadScript() |
74 |
function only apply XPCNativeWrappers to scripts loaded from standard |
75 |
"chrome:" URIs, which could be the case in third-party add-ons |
76 |
(CVE-2008-2803). |
77 |
|
78 |
* Astabis reported a crash in the block reflow implementation related |
79 |
to large images (CVE-2008-2811). |
80 |
|
81 |
* John G. Myers, Frank Benkstein and Nils Toedtmann reported a |
82 |
weakness in the trust model used by Mozilla, that when a user accepts |
83 |
an SSL server certificate on the basis of the CN domain name in the |
84 |
DN field, the certificate is also regarded as accepted for all domain |
85 |
names in subjectAltName:dNSName fields (CVE-2008-2809). |
86 |
|
87 |
The following vulnerabilities were reported in Firefox, SeaMonkey and |
88 |
XULRunner: |
89 |
|
90 |
* moz_bug_r_a4 reported that the Same Origin Policy is not properly |
91 |
enforced on JavaScript (CVE-2008-2800). |
92 |
|
93 |
* Collin Jackson and Adam Barth reported that JAR signing is not |
94 |
properly implemented, allowing injection of JavaScript into documents |
95 |
within a JAR archive (CVE-2008-2801). |
96 |
|
97 |
* Opera Software reported an error allowing for arbitrary local file |
98 |
upload (CVE-2008-2805). |
99 |
|
100 |
* Daniel Glazman reported that an invalid .properties file for an |
101 |
add-on might lead to the usage of uninitialized memory |
102 |
(CVE-2008-2807). |
103 |
|
104 |
* Masahiro Yamada reported that HTML in "file://" URLs in directory |
105 |
listings is not properly escaped (CVE-2008-2808). |
106 |
|
107 |
* Geoff reported that the context of Windows Internet shortcut files |
108 |
is not correctly identified (CVE-2008-2810). |
109 |
|
110 |
* The crash vulnerability (CVE-2008-1380) that was previously |
111 |
announced in GLSA 200805-18 is now also also resolved in Seamonkey |
112 |
binary ebuilds. |
113 |
|
114 |
The following vulnerability was reported in Firefox only: |
115 |
|
116 |
* Billy Rios reported that the Pipe character in a command-line URI |
117 |
is identified as a request to open multiple tabs, allowing to open |
118 |
"chrome" and "file" URIs (CVE-2008-2933). |
119 |
|
120 |
Impact |
121 |
====== |
122 |
|
123 |
A remote attacker could entice a user to view a specially crafted web |
124 |
page or email that will trigger one of the vulnerabilities, possibly |
125 |
leading to the execution of arbitrary code or a Denial of Service. It |
126 |
is also possible for an attacker to trick a user to upload arbitrary |
127 |
files or to accept an invalid certificate for a spoofed web site, to |
128 |
read uninitialized memory, to violate Same Origin Policy, or to conduct |
129 |
Cross-Site Scripting attacks. |
130 |
|
131 |
Workaround |
132 |
========== |
133 |
|
134 |
There is no known workaround at this time. |
135 |
|
136 |
Resolution |
137 |
========== |
138 |
|
139 |
All Mozilla Firefox users should upgrade to the latest version: |
140 |
|
141 |
# emerge --sync |
142 |
# emerge --ask --oneshot -v ">=www-client/mozilla-firefox-2.0.0.16" |
143 |
|
144 |
All Mozilla Firefox binary users should upgrade to the latest version: |
145 |
|
146 |
# emerge --sync |
147 |
# emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.16" |
148 |
|
149 |
All Mozilla Thunderbird users should upgrade to the latest version: |
150 |
|
151 |
# emerge --sync |
152 |
# emerge --ask -1 -v ">=mail-client/mozilla-thunderbird-2.0.0.16" |
153 |
|
154 |
All Mozilla Thunderbird binary users should upgrade to the latest |
155 |
version: |
156 |
|
157 |
# emerge --sync |
158 |
# emerge -a -1 -v ">=mail-client/mozilla-thunderbird-bin-2.0.0.16" |
159 |
|
160 |
All Seamonkey users should upgrade to the latest version: |
161 |
|
162 |
# emerge --sync |
163 |
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.11" |
164 |
|
165 |
All Seamonkey binary users should upgrade to the latest version: |
166 |
|
167 |
# emerge --sync |
168 |
# emerge --ask --oneshot -v ">=www-client/seamonkey-bin-1.1.11" |
169 |
|
170 |
All XULRunner users should upgrade to the latest version: |
171 |
|
172 |
# emerge --sync |
173 |
# emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.16" |
174 |
|
175 |
All XULRunner binary users should upgrade to the latest version: |
176 |
|
177 |
# emerge --sync |
178 |
# emerge --ask --oneshot -v ">=net-libs/xulrunner-bin-1.8.1.16" |
179 |
|
180 |
References |
181 |
========== |
182 |
|
183 |
[ 1 ] CVE-2008-1380 |
184 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380 |
185 |
[ 2 ] CVE-2008-2785 |
186 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785 |
187 |
[ 3 ] CVE-2008-2798 |
188 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2798 |
189 |
[ 4 ] CVE-2008-2799 |
190 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2799 |
191 |
[ 5 ] CVE-2008-2800 |
192 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2800 |
193 |
[ 6 ] CVE-2008-2801 |
194 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2801 |
195 |
[ 7 ] CVE-2008-2802 |
196 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2802 |
197 |
[ 8 ] CVE-2008-2803 |
198 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2803 |
199 |
[ 9 ] CVE-2008-2805 |
200 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2805 |
201 |
[ 10 ] CVE-2008-2807 |
202 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2807 |
203 |
[ 11 ] CVE-2008-2808 |
204 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2808 |
205 |
[ 12 ] CVE-2008-2809 |
206 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2809 |
207 |
[ 13 ] CVE-2008-2810 |
208 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2810 |
209 |
[ 14 ] CVE-2008-2811 |
210 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2811 |
211 |
[ 15 ] CVE-2008-2933 |
212 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2933 |
213 |
[ 16 ] GLSA 200805-18 |
214 |
http://www.gentoo.org/security/en/glsa/glsa-200805-18.xml |
215 |
|
216 |
Availability |
217 |
============ |
218 |
|
219 |
This GLSA and any updates to it are available for viewing at |
220 |
the Gentoo Security Website: |
221 |
|
222 |
http://security.gentoo.org/glsa/glsa-200808-03.xml |
223 |
|
224 |
Concerns? |
225 |
========= |
226 |
|
227 |
Security is a primary focus of Gentoo Linux and ensuring the |
228 |
confidentiality and security of our users machines is of utmost |
229 |
importance to us. Any security concerns should be addressed to |
230 |
security@g.o or alternatively, you may file a bug at |
231 |
http://bugs.gentoo.org. |
232 |
|
233 |
License |
234 |
======= |
235 |
|
236 |
Copyright 2008 Gentoo Foundation, Inc; referenced text |
237 |
belongs to its owner(s). |
238 |
|
239 |
The contents of this document are licensed under the |
240 |
Creative Commons - Attribution / Share Alike license. |
241 |
|
242 |
http://creativecommons.org/licenses/by-sa/2.5 |