1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
2 |
Gentoo Linux Security Advisory GLSA 200805-18 |
3 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
4 |
http://security.gentoo.org/ |
5 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
6 |
|
7 |
Severity: Normal |
8 |
Title: Mozilla products: Multiple vulnerabilities |
9 |
Date: May 20, 2008 |
10 |
Bugs: #208128, #214816, #218065 |
11 |
ID: 200805-18 |
12 |
|
13 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
14 |
|
15 |
Synopsis |
16 |
======== |
17 |
|
18 |
Multiple vulnerabilities have been reported in Mozilla Firefox, |
19 |
Thunderbird, SeaMonkey and XULRunner, some of which may allow |
20 |
user-assisted execution of arbitrary code. |
21 |
|
22 |
Background |
23 |
========== |
24 |
|
25 |
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird |
26 |
an open-source email client, both from the Mozilla Project. The |
27 |
SeaMonkey project is a community effort to deliver production-quality |
28 |
releases of code derived from the application formerly known as the |
29 |
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package |
30 |
that can be used to bootstrap XUL+XPCOM applications like Firefox and |
31 |
Thunderbird. |
32 |
|
33 |
Affected packages |
34 |
================= |
35 |
|
36 |
------------------------------------------------------------------- |
37 |
Package / Vulnerable / Unaffected |
38 |
------------------------------------------------------------------- |
39 |
1 mozilla-firefox < 2.0.0.14 >= 2.0.0.14 |
40 |
2 mozilla-firefox-bin < 2.0.0.14 >= 2.0.0.14 |
41 |
3 mozilla-thunderbird < 2.0.0.14 >= 2.0.0.14 |
42 |
4 mozilla-thunderbird-bin < 2.0.0.14 >= 2.0.0.14 |
43 |
5 seamonkey < 1.1.9-r1 >= 1.1.9-r1 |
44 |
6 seamonkey-bin < 1.1.9 >= 1.1.9 |
45 |
7 xulrunner < 1.8.1.14 >= 1.8.1.14 |
46 |
------------------------------------------------------------------- |
47 |
7 affected packages on all of their supported architectures. |
48 |
------------------------------------------------------------------- |
49 |
|
50 |
Description |
51 |
=========== |
52 |
|
53 |
The following vulnerabilities were reported in all mentioned Mozilla |
54 |
products: |
55 |
|
56 |
* Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and |
57 |
Paul Nickerson reported browser crashes related to JavaScript |
58 |
methods, possibly triggering memory corruption (CVE-2008-0412). |
59 |
|
60 |
* Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, |
61 |
Philip Taylor, and tgirmann reported crashes in the JavaScript |
62 |
engine, possibly triggering memory corruption (CVE-2008-0413). |
63 |
|
64 |
* David Bloom discovered a vulnerability in the way images are |
65 |
treated by the browser when a user leaves a page, possibly triggering |
66 |
memory corruption (CVE-2008-0419). |
67 |
|
68 |
* moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series |
69 |
of privilege escalation vulnerabilities related to JavaScript |
70 |
(CVE-2008-1233, CVE-2008-1234, CVE-2008-1235). |
71 |
|
72 |
* Mozilla developers identified browser crashes caused by the layout |
73 |
and JavaScript engines, possibly triggering memory corruption |
74 |
(CVE-2008-1236, CVE-2008-1237). |
75 |
|
76 |
* moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape |
77 |
from its sandboxed context and run with chrome privileges, and inject |
78 |
script content into another site, violating the browser's same origin |
79 |
policy (CVE-2008-0415). |
80 |
|
81 |
* Gerry Eisenhaur discovered a directory traversal vulnerability when |
82 |
using "flat" addons (CVE-2008-0418). |
83 |
|
84 |
* Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported |
85 |
multiple character handling flaws related to the backspace character, |
86 |
the "0x80" character, involving zero-length non-ASCII sequences in |
87 |
multiple character sets, that could facilitate Cross-Site Scripting |
88 |
attacks (CVE-2008-0416). |
89 |
|
90 |
The following vulnerability was reported in Thunderbird and SeaMonkey: |
91 |
|
92 |
* regenrecht (via iDefense) reported a heap-based buffer overflow |
93 |
when rendering an email message with an external MIME body |
94 |
(CVE-2008-0304). |
95 |
|
96 |
The following vulnerabilities were reported in Firefox, SeaMonkey and |
97 |
XULRunner: |
98 |
|
99 |
* The fix for CVE-2008-1237 in Firefox 2.0.0.13 and SeaMonkey 1.1.9 |
100 |
introduced a new crash vulnerability (CVE-2008-1380). |
101 |
|
102 |
* hong and Gregory Fleischer each reported a variant on earlier |
103 |
reported bugs regarding focus shifting in file input controls |
104 |
(CVE-2008-0414). |
105 |
|
106 |
* Gynvael Coldwind (Vexillium) discovered that BMP images could be |
107 |
used to reveal uninitialized memory, and that this data could be |
108 |
extracted using a "canvas" feature (CVE-2008-0420). |
109 |
|
110 |
* Chris Thomas reported that background tabs could create a |
111 |
borderless XUL pop-up in front of pages in other tabs |
112 |
(CVE-2008-1241). |
113 |
|
114 |
* oo.rio.oo discovered that a plain text file with a |
115 |
"Content-Disposition: attachment" prevents Firefox from rendering |
116 |
future plain text files within the browser (CVE-2008-0592). |
117 |
|
118 |
* Martin Straka reported that the ".href" property of stylesheet DOM |
119 |
nodes is modified to the final URI of a 302 redirect, bypassing the |
120 |
same origin policy (CVE-2008-0593). |
121 |
|
122 |
* Gregory Fleischer discovered that under certain circumstances, |
123 |
leading characters from the hostname part of the "Referer:" HTTP |
124 |
header are removed (CVE-2008-1238). |
125 |
|
126 |
* Peter Brodersen and Alexander Klink reported that the browser |
127 |
automatically selected and sent a client certificate when SSL Client |
128 |
Authentication is requested by a server (CVE-2007-4879). |
129 |
|
130 |
* Gregory Fleischer reported that web content fetched via the "jar:" |
131 |
protocol was not subject to network access restrictions |
132 |
(CVE-2008-1240). |
133 |
|
134 |
The following vulnerabilities were reported in Firefox: |
135 |
|
136 |
* Justin Dolske discovered a CRLF injection vulnerability when |
137 |
storing passwords (CVE-2008-0417). |
138 |
|
139 |
* Michal Zalewski discovered that Firefox does not properly manage a |
140 |
delay timer used in confirmation dialogs (CVE-2008-0591). |
141 |
|
142 |
* Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery |
143 |
warning dialog is not displayed if the entire contents of a web page |
144 |
are in a DIV tag that uses absolute positioning (CVE-2008-0594). |
145 |
|
146 |
Impact |
147 |
====== |
148 |
|
149 |
A remote attacker could entice a user to view a specially crafted web |
150 |
page or email that will trigger one of the vulnerabilities, possibly |
151 |
leading to the execution of arbitrary code or a Denial of Service. It |
152 |
is also possible for an attacker to trick a user to upload arbitrary |
153 |
files when submitting a form, to corrupt saved passwords for other |
154 |
sites, to steal login credentials, or to conduct Cross-Site Scripting |
155 |
and Cross-Site Request Forgery attacks. |
156 |
|
157 |
Workaround |
158 |
========== |
159 |
|
160 |
There is no known workaround at this time. |
161 |
|
162 |
Resolution |
163 |
========== |
164 |
|
165 |
All Mozilla Firefox users should upgrade to the latest version: |
166 |
|
167 |
# emerge --sync |
168 |
# emerge --ask -1 -v ">=www-client/mozilla-firefox-2.0.0.14" |
169 |
|
170 |
All Mozilla Firefox binary users should upgrade to the latest version: |
171 |
|
172 |
# emerge --sync |
173 |
# emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.14" |
174 |
|
175 |
All Mozilla Thunderbird users should upgrade to the latest version: |
176 |
|
177 |
# emerge --sync |
178 |
# emerge --ask -1 -v ">=mail-client/mozilla-thunderbird-2.0.0.14" |
179 |
|
180 |
All Mozilla Thunderbird binary users should upgrade to the latest |
181 |
version: |
182 |
|
183 |
# emerge --sync |
184 |
# emerge -a -1 -v ">=mail-client/mozilla-thunderbird-bin-2.0.0.14" |
185 |
|
186 |
All SeaMonkey users should upgrade to the latest version: |
187 |
|
188 |
# emerge --sync |
189 |
# emerge --ask -1 -v ">=www-client/seamonkey-1.1.9-r1" |
190 |
|
191 |
All SeaMonkey binary users should upgrade to the latest version: |
192 |
|
193 |
# emerge --sync |
194 |
# emerge --ask -1 -v ">=www-client/seamonkey-bin-1.1.9" |
195 |
|
196 |
All XULRunner users should upgrade to the latest version: |
197 |
|
198 |
# emerge --sync |
199 |
# emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14" |
200 |
|
201 |
NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in |
202 |
the SeaMonkey binary ebuild, as no precompiled packages have been |
203 |
released. Until an update is available, we recommend all SeaMonkey |
204 |
users to disable JavaScript, use Firefox for JavaScript-enabled |
205 |
browsing, or switch to the SeaMonkey source ebuild. |
206 |
|
207 |
References |
208 |
========== |
209 |
|
210 |
[ 1 ] CVE-2007-4879 |
211 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4879 |
212 |
[ 2 ] CVE-2008-0304 |
213 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304 |
214 |
[ 3 ] CVE-2008-0412 |
215 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412 |
216 |
[ 4 ] CVE-2008-0413 |
217 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413 |
218 |
[ 5 ] CVE-2008-0414 |
219 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0414 |
220 |
[ 6 ] CVE-2008-0415 |
221 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415 |
222 |
[ 7 ] CVE-2008-0416 |
223 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416 |
224 |
[ 8 ] CVE-2008-0417 |
225 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0417 |
226 |
[ 9 ] CVE-2008-0418 |
227 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418 |
228 |
[ 10 ] CVE-2008-0419 |
229 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0419 |
230 |
[ 11 ] CVE-2008-0420 |
231 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0420 |
232 |
[ 12 ] CVE-2008-0591 |
233 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0591 |
234 |
[ 13 ] CVE-2008-0592 |
235 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0592 |
236 |
[ 14 ] CVE-2008-0593 |
237 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0593 |
238 |
[ 15 ] CVE-2008-0594 |
239 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0594 |
240 |
[ 16 ] CVE-2008-1233 |
241 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233 |
242 |
[ 17 ] CVE-2008-1234 |
243 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234 |
244 |
[ 18 ] CVE-2008-1235 |
245 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235 |
246 |
[ 19 ] CVE-2008-1236 |
247 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236 |
248 |
[ 20 ] CVE-2008-1237 |
249 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237 |
250 |
[ 21 ] CVE-2008-1238 |
251 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238 |
252 |
[ 22 ] CVE-2008-1240 |
253 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240 |
254 |
[ 23 ] CVE-2008-1241 |
255 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241 |
256 |
[ 24 ] CVE-2008-1380 |
257 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380 |
258 |
|
259 |
Availability |
260 |
============ |
261 |
|
262 |
This GLSA and any updates to it are available for viewing at |
263 |
the Gentoo Security Website: |
264 |
|
265 |
http://security.gentoo.org/glsa/glsa-200805-18.xml |
266 |
|
267 |
Concerns? |
268 |
========= |
269 |
|
270 |
Security is a primary focus of Gentoo Linux and ensuring the |
271 |
confidentiality and security of our users machines is of utmost |
272 |
importance to us. Any security concerns should be addressed to |
273 |
security@g.o or alternatively, you may file a bug at |
274 |
http://bugs.gentoo.org. |
275 |
|
276 |
License |
277 |
======= |
278 |
|
279 |
Copyright 2008 Gentoo Foundation, Inc; referenced text |
280 |
belongs to its owner(s). |
281 |
|
282 |
The contents of this document are licensed under the |
283 |
Creative Commons - Attribution / Share Alike license. |
284 |
|
285 |
http://creativecommons.org/licenses/by-sa/2.5 |