Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Robert Buchholz <rbu@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200805-18 ] Mozilla products: Multiple vulnerabilities
Date: Tue, 20 May 2008 21:24:25
Message-Id: 200805202318.38564.rbu@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200805-18
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Mozilla products: Multiple vulnerabilities
9 Date: May 20, 2008
10 Bugs: #208128, #214816, #218065
11 ID: 200805-18
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been reported in Mozilla Firefox,
19 Thunderbird, SeaMonkey and XULRunner, some of which may allow
20 user-assisted execution of arbitrary code.
21
22 Background
23 ==========
24
25 Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
26 an open-source email client, both from the Mozilla Project. The
27 SeaMonkey project is a community effort to deliver production-quality
28 releases of code derived from the application formerly known as the
29 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package
30 that can be used to bootstrap XUL+XPCOM applications like Firefox and
31 Thunderbird.
32
33 Affected packages
34 =================
35
36 -------------------------------------------------------------------
37 Package / Vulnerable / Unaffected
38 -------------------------------------------------------------------
39 1 mozilla-firefox < 2.0.0.14 >= 2.0.0.14
40 2 mozilla-firefox-bin < 2.0.0.14 >= 2.0.0.14
41 3 mozilla-thunderbird < 2.0.0.14 >= 2.0.0.14
42 4 mozilla-thunderbird-bin < 2.0.0.14 >= 2.0.0.14
43 5 seamonkey < 1.1.9-r1 >= 1.1.9-r1
44 6 seamonkey-bin < 1.1.9 >= 1.1.9
45 7 xulrunner < 1.8.1.14 >= 1.8.1.14
46 -------------------------------------------------------------------
47 7 affected packages on all of their supported architectures.
48 -------------------------------------------------------------------
49
50 Description
51 ===========
52
53 The following vulnerabilities were reported in all mentioned Mozilla
54 products:
55
56 * Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and
57 Paul Nickerson reported browser crashes related to JavaScript
58 methods, possibly triggering memory corruption (CVE-2008-0412).
59
60 * Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown,
61 Philip Taylor, and tgirmann reported crashes in the JavaScript
62 engine, possibly triggering memory corruption (CVE-2008-0413).
63
64 * David Bloom discovered a vulnerability in the way images are
65 treated by the browser when a user leaves a page, possibly triggering
66 memory corruption (CVE-2008-0419).
67
68 * moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series
69 of privilege escalation vulnerabilities related to JavaScript
70 (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235).
71
72 * Mozilla developers identified browser crashes caused by the layout
73 and JavaScript engines, possibly triggering memory corruption
74 (CVE-2008-1236, CVE-2008-1237).
75
76 * moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape
77 from its sandboxed context and run with chrome privileges, and inject
78 script content into another site, violating the browser's same origin
79 policy (CVE-2008-0415).
80
81 * Gerry Eisenhaur discovered a directory traversal vulnerability when
82 using "flat" addons (CVE-2008-0418).
83
84 * Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported
85 multiple character handling flaws related to the backspace character,
86 the "0x80" character, involving zero-length non-ASCII sequences in
87 multiple character sets, that could facilitate Cross-Site Scripting
88 attacks (CVE-2008-0416).
89
90 The following vulnerability was reported in Thunderbird and SeaMonkey:
91
92 * regenrecht (via iDefense) reported a heap-based buffer overflow
93 when rendering an email message with an external MIME body
94 (CVE-2008-0304).
95
96 The following vulnerabilities were reported in Firefox, SeaMonkey and
97 XULRunner:
98
99 * The fix for CVE-2008-1237 in Firefox 2.0.0.13 and SeaMonkey 1.1.9
100 introduced a new crash vulnerability (CVE-2008-1380).
101
102 * hong and Gregory Fleischer each reported a variant on earlier
103 reported bugs regarding focus shifting in file input controls
104 (CVE-2008-0414).
105
106 * Gynvael Coldwind (Vexillium) discovered that BMP images could be
107 used to reveal uninitialized memory, and that this data could be
108 extracted using a "canvas" feature (CVE-2008-0420).
109
110 * Chris Thomas reported that background tabs could create a
111 borderless XUL pop-up in front of pages in other tabs
112 (CVE-2008-1241).
113
114 * oo.rio.oo discovered that a plain text file with a
115 "Content-Disposition: attachment" prevents Firefox from rendering
116 future plain text files within the browser (CVE-2008-0592).
117
118 * Martin Straka reported that the ".href" property of stylesheet DOM
119 nodes is modified to the final URI of a 302 redirect, bypassing the
120 same origin policy (CVE-2008-0593).
121
122 * Gregory Fleischer discovered that under certain circumstances,
123 leading characters from the hostname part of the "Referer:" HTTP
124 header are removed (CVE-2008-1238).
125
126 * Peter Brodersen and Alexander Klink reported that the browser
127 automatically selected and sent a client certificate when SSL Client
128 Authentication is requested by a server (CVE-2007-4879).
129
130 * Gregory Fleischer reported that web content fetched via the "jar:"
131 protocol was not subject to network access restrictions
132 (CVE-2008-1240).
133
134 The following vulnerabilities were reported in Firefox:
135
136 * Justin Dolske discovered a CRLF injection vulnerability when
137 storing passwords (CVE-2008-0417).
138
139 * Michal Zalewski discovered that Firefox does not properly manage a
140 delay timer used in confirmation dialogs (CVE-2008-0591).
141
142 * Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
143 warning dialog is not displayed if the entire contents of a web page
144 are in a DIV tag that uses absolute positioning (CVE-2008-0594).
145
146 Impact
147 ======
148
149 A remote attacker could entice a user to view a specially crafted web
150 page or email that will trigger one of the vulnerabilities, possibly
151 leading to the execution of arbitrary code or a Denial of Service. It
152 is also possible for an attacker to trick a user to upload arbitrary
153 files when submitting a form, to corrupt saved passwords for other
154 sites, to steal login credentials, or to conduct Cross-Site Scripting
155 and Cross-Site Request Forgery attacks.
156
157 Workaround
158 ==========
159
160 There is no known workaround at this time.
161
162 Resolution
163 ==========
164
165 All Mozilla Firefox users should upgrade to the latest version:
166
167 # emerge --sync
168 # emerge --ask -1 -v ">=www-client/mozilla-firefox-2.0.0.14"
169
170 All Mozilla Firefox binary users should upgrade to the latest version:
171
172 # emerge --sync
173 # emerge --ask -1 -v ">=www-client/mozilla-firefox-bin-2.0.0.14"
174
175 All Mozilla Thunderbird users should upgrade to the latest version:
176
177 # emerge --sync
178 # emerge --ask -1 -v ">=mail-client/mozilla-thunderbird-2.0.0.14"
179
180 All Mozilla Thunderbird binary users should upgrade to the latest
181 version:
182
183 # emerge --sync
184 # emerge -a -1 -v ">=mail-client/mozilla-thunderbird-bin-2.0.0.14"
185
186 All SeaMonkey users should upgrade to the latest version:
187
188 # emerge --sync
189 # emerge --ask -1 -v ">=www-client/seamonkey-1.1.9-r1"
190
191 All SeaMonkey binary users should upgrade to the latest version:
192
193 # emerge --sync
194 # emerge --ask -1 -v ">=www-client/seamonkey-bin-1.1.9"
195
196 All XULRunner users should upgrade to the latest version:
197
198 # emerge --sync
199 # emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14"
200
201 NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in
202 the SeaMonkey binary ebuild, as no precompiled packages have been
203 released. Until an update is available, we recommend all SeaMonkey
204 users to disable JavaScript, use Firefox for JavaScript-enabled
205 browsing, or switch to the SeaMonkey source ebuild.
206
207 References
208 ==========
209
210 [ 1 ] CVE-2007-4879
211 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4879
212 [ 2 ] CVE-2008-0304
213 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304
214 [ 3 ] CVE-2008-0412
215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412
216 [ 4 ] CVE-2008-0413
217 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413
218 [ 5 ] CVE-2008-0414
219 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0414
220 [ 6 ] CVE-2008-0415
221 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415
222 [ 7 ] CVE-2008-0416
223 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416
224 [ 8 ] CVE-2008-0417
225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0417
226 [ 9 ] CVE-2008-0418
227 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418
228 [ 10 ] CVE-2008-0419
229 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0419
230 [ 11 ] CVE-2008-0420
231 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0420
232 [ 12 ] CVE-2008-0591
233 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0591
234 [ 13 ] CVE-2008-0592
235 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0592
236 [ 14 ] CVE-2008-0593
237 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0593
238 [ 15 ] CVE-2008-0594
239 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0594
240 [ 16 ] CVE-2008-1233
241 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233
242 [ 17 ] CVE-2008-1234
243 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234
244 [ 18 ] CVE-2008-1235
245 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235
246 [ 19 ] CVE-2008-1236
247 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236
248 [ 20 ] CVE-2008-1237
249 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237
250 [ 21 ] CVE-2008-1238
251 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238
252 [ 22 ] CVE-2008-1240
253 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240
254 [ 23 ] CVE-2008-1241
255 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241
256 [ 24 ] CVE-2008-1380
257 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380
258
259 Availability
260 ============
261
262 This GLSA and any updates to it are available for viewing at
263 the Gentoo Security Website:
264
265 http://security.gentoo.org/glsa/glsa-200805-18.xml
266
267 Concerns?
268 =========
269
270 Security is a primary focus of Gentoo Linux and ensuring the
271 confidentiality and security of our users machines is of utmost
272 importance to us. Any security concerns should be addressed to
273 security@g.o or alternatively, you may file a bug at
274 http://bugs.gentoo.org.
275
276 License
277 =======
278
279 Copyright 2008 Gentoo Foundation, Inc; referenced text
280 belongs to its owner(s).
281
282 The contents of this document are licensed under the
283 Creative Commons - Attribution / Share Alike license.
284
285 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups