Bug 58569 (CVE-2004-0762)

Summary: VUL-0: CVE-2004-0762: Mozilla SOAP integer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Wolfgang Rosenauer <stark>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: qa-bugs, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0762: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2004-0597:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 58312, 58791, 59040    
Bug Blocks:    

Description Sebastian Krahmer 2004-08-06 17:07:10 UTC 
Date: Mon, 2 Aug 2004 14:50:39 -0400
From: idlabs-advisories@idefense.com
Reply-To: customerservice@idefense.com
To: idlabs-advisories@idefense.com
Subject: [Full-Disclosure] iDEFENSE Security Advisory 08.02.04:
    Netscape/Mozilla SOAPParameter Constructor Integer Overflow
    Vulnerability

Netscape/Mozilla SOAPParameter Constructor Integer Overflow
Vulnerability
www.idefense.com/application/poi/display?id=117&type=vulnerabilities
August 2, 2004

iDEFENSE Security Advisory 08.02.04:

I. BACKGROUND

SOAP is an XML-based messaging protocol which defines a set of rules for
structuring messages, and can be used for web based applications.

II. DESCRIPTION

Improper input validation to the SOAPParameter object constructor in
Netscape and Mozilla allows execution of arbitrary code.

The SOAPParameter object's constructor contains an integer overflow
which allows controllable heap corruption.

A web page can be constructed to leverage this into remote execution of
arbitrary code.

III. ANALYSIS

Successful exploitation allows the remote attacker to execute arbitrary
code in the context of the user running the browser.

IV. DETECTION

Netscape version 7.0 and 7.1 have been confirmed to be vulnerable.
Mozilla 1.6 is also vulnerable to this issue. It is suspected that
earlier versions of both browsers may also be vulnerable.

Netscape 7.1 is the latest version of Netscape available. Netscape have
not released any information indicating they are intending to release
future versions of the Netscape browser, and no longer have any
developers working on this project.

The latest release of the Mozilla browser, 1.7.1, is not affected by
this vulnerability. The Mozilla browser may be considered as an
alternative to Netscape.

V. WORKAROUNDS

Disable Javascript in the browser.

Consider upgrading to the latest version of Mozilla.

VI. VENDOR RESPONSE

Mozilla 1.7.1 is available for download at:

http://www.mozilla.org/products/mozilla1.x/

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0722 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

01/17/2004   Exploit acquired by iDEFENSE.
03/05/2004   Bug sent to Netscape Security Bug form at
             http://cgi.netscape.com/cgi-bin/bug-security.cgi
03/05/2004   Bug entered into bugzilla.mozilla.org 
             http://bugzilla.mozilla.org/show_bug.cgi?id=236618
03/05/2004   iDEFENSE clients notified
07/09/2004   Patch submitted into Mozilla source tree.
             http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22
08/02/2004   Public disclosure

IX. CREDIT

zen-parse (zen-parse at gmx.net) is credited with this discovery.

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Comment 1 Sebastian Krahmer 2004-08-06 17:07:10 UTC 
<!-- SBZ_reproduce  -->
...
Comment 2 Wolfgang Rosenauer 2004-08-06 17:15:51 UTC 
I have a mozilla 1.4.1 package (which is almost 1.4.3) with the following fixes:

  CAN-2004-0597
  CAN-2004-0718
  CAN-2004-0722 (#43569)
  CAN-2004-0757
  CAN-2004-0758
  CAN-2004-0759
  CAN-2004-0760
  CAN-2004-0761
  CAN-2004-0762
  CAN-2004-0763 (#43312)
  CAN-2004-0764
  CAN-2004-0765

that means the following status for this bug:

8.1   ready
8.2   ?
9.0   ready
9.1   ready
SLES8 ready
SLEC  ready
SLES9 ready
Comment 3 Sebastian Krahmer 2004-08-06 17:18:05 UTC 
great, so only SL 8.2 is left. Iam writing laufzettel.
Comment 4 Wolfgang Rosenauer 2004-08-06 17:30:07 UTC 
There is already a laufzettel for the other security thing.
Could you please consolidate with Thomas Biege?
We need only one Laufzettel IMHO.
Comment 5 Wolfgang Rosenauer 2004-08-06 17:32:21 UTC 
the problem for SLES9 at this time is that I don't have an overview anymore
which security-fixes we need in. We have a few in our bugzilla but the list
above is valid for mozilla 1.6, too.
So security-team should write up a list which fixes are needed for 1.6 (and
perhaps help me a bit to get them in the 1.6 sources.
Comment 6 Sebastian Krahmer 2004-08-06 17:40:49 UTC 
Hm I just took over the incident managment this week, Thomas,
which cases havbeen there with mozilla and SLES9 ?
Comment 7 Sebastian Krahmer 2004-08-06 17:46:29 UTC 
I merged the LZ's.
Comment 8 Thomas Biege 2004-08-06 18:27:21 UTC 
comment #6, i just made bug 58312 but it includes patchinfos with a full list 
of bugs. maybe it's a good idea to open a new bug entry for all bugs and make 
the other a duplicate of the new one.
Comment 9 Wolfgang Rosenauer 2004-08-06 18:41:10 UTC 
for completeness:
http://bugzilla.mozilla.org/show_bug.cgi?id=236618
Comment 10 Sebastian Krahmer 2004-08-10 20:47:02 UTC 
Last status from Wolfgang:

8.1 / SLES8 / SLEC / 9.0 (Mozilla 1.4.1)
fertig, eingecheckt und in QA. Das Patchinfo für Box ist noch nicht
abgegeben, weil 9.1 und 8.2! noch fehlt.

9.1 / SLES9 (Mozilla 1.6)
bis auf den einen Patch alles vorhanden, wobei der Build-Test noch nicht
fertig ist.

9.0 / 9.1 (Firefox)
Paket fertig, Freigabe von aj für Versionsupdate aber leider noch keine
gute Lösung für das xhost Problem.

8.2 (Mozilla 1.2.1) 
kein Paket, da 1.2.1 Patches "almost impossible"

Uns fehlt also für 8.2 eine Lösung.
Sowie beim 1.6 das Problem mit obigem Patch.
Comment 11 Thomas Biege 2004-08-31 22:59:15 UTC 
We will close it. Almost all mozilla/firebird packages are released now.
Comment 12 Thomas Biege 2009-10-13 20:31:22 UTC 
CVE-2004-0762: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)