|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0909: new problems in mozilla | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | qa-bugs, security-team, stark |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0909: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 60856 | ||
| Bug Blocks: | |||
|
Description
Sebastian Krahmer
2004-09-20 21:30:42 UTC
<!-- SBZ_reproduce --> ... OK, please let me know which! bugs you want to have fixed in 1.4.x based products and which in 1.6 based ones. Please, please, don't say "all" ;-) The list in the URL above should list all fixed bugs which could be of interest. The following list is already stripped down to which affect us: http://bugzilla.mozilla.org/show_bug.cgi?id=258005 http://bugzilla.mozilla.org/show_bug.cgi?id=257523 http://bugzilla.mozilla.org/show_bug.cgi?id=253942 http://bugzilla.mozilla.org/show_bug.cgi?id=257314 http://bugzilla.mozilla.org/show_bug.cgi?id=255067 http://bugzilla.mozilla.org/show_bug.cgi?id=250862 http://bugzilla.mozilla.org/show_bug.cgi?id=256316 ( http://bugzilla.mozilla.org/show_bug.cgi?id=245066 http://bugzilla.mozilla.org/show_bug.cgi?id=226669 ) Please note that the security bug which was discussed on Heise about cookie sending to wrong servers are not fixed for mozilla and there is ongoing discussion in bugzilla.mozilla.org (don't know the number now) Please note that I'm on vacation this week and can't do much work therefore. But I will prepare the easier 1.4.x packages soon. We have to check 1.6 if the available patches work for the 1.6 tree. for the record: the cookie thing is: http://bugzilla.mozilla.org/show_bug.cgi?id=252342 I have a patch for mozilla 1.4.x ready which fix the following ones: 258005 257314 255067 I don't know if the other ones are not fixed in CVS or they are not needed for this code-base. How to proceed? From the security bugs (those except the ones in brackets), everything except 253942 looks important enough for a fix to me. I have just submitted the 1.4.x versions for 8.1 (SLES8) 8.2 9.0 SLEC 1.6 packages make much more work than I can do in my vacation. So this can be "tried" next week. Thanks. The CANs are included below. I'll be adding other advisory references
soon.
Notice the MERGE of the heap-based overflows into a single CAN. This
is one of the quirks of CVE's content decisions that only makes sense
when you take a macro-level look at it.
- Steve
======================================================
Candidate: CAN-2004-0902
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0902
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=258005
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=245066
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=226669
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=256316
Reference: CERT-VN:VU#327560
Reference: CERT-VN:VU#125776
Reference: CERT-VN:VU#808216
Reference: CERT:TA04-261A
Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Multiple
heap-based buffer overflows in Mozilla Firefox before the
Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8
allow remote attackers to cause a denial of service (application
crash) or execute arbitrary code via (1) the "Send page"
functionality, (2) certain responses from a malicious POP3 server, or
(3) a link containing a non-ASCII hostname.
======================================================
Candidate: CAN-2004-0903
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0903
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz
+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=257314
Reference: CERT:TA04-261A
Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Reference: CERT-VN:VU#414240
Reference: URL:http://www.kb.cert.org/vuls/id/414240
Stack-based buffer overflow in the writeGroup function in
nsVCardObj.cpp for Mozilla Firefox before the Preview Release, Mozilla
before 1.7.3, and Thunderbird before 0.8 allows remote attackers to
execute arbitrary code via malformed VCard attachments that are not
properly handled when previewing a message.
======================================================
Candidate: CAN-2004-0904
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0904
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz
+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=255067
Reference: CERT:TA04-261A
Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Reference: CERT-VN:VU#847200
Reference: URL:http://www.kb.cert.org/vuls/id/847200
Integer
overflow in the bitmap (BMP) decoder for Mozilla Firefox
before the Preview Release, Mozilla before 1.7.3, and Thunderbird
before 0.8 allow remote attackers to execute arbitrary code via wide
bitmap files that trigger heap-based buffer overflows.
======================================================
Candidate: CAN-2004-0905
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0905
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz
+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=250862
Reference: CERT-VN:VU#651928
Reference: URL:http://www.kb.cert.org/vuls/id/651928
Reference: CERT:TA04-261A
Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and
Thunderbird before 0.8 allows remote attackers to perform cross-domain
scripting and possible execute arbitrary code by convincing a user to
drag javascript: links to a frame or page in another domain.
======================================================
Candidate: CAN-2004-0906
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0906
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=235781
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=231083
Reference: CERT-VN:VU#653160
Reference: URL:http://www.kb.cert.org/vuls/id/653160
Reference: BID:11192
Reference: URL:http://www.securityfocus.com/bid/11192
Reference: XF:mozilla-insecure-file-permissions(17375)
Reference: URL:http://xforce.iss.net/xforce/xfdb/17375
Reference: MISC:http://secunia.com/advisories/12526/
The
XPInstall installer in Mozilla Firefox before the Preview Release,
Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure
permissions for certain installed files within xpi packages, which
could allow local users to overwrite arbitrary files or execute
arbitrary code.
======================================================
Candidate: CAN-2004-0907
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0907
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz-+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=254303
The
Linux install .tar.gz archives for Mozilla Firefox before the
Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8,
create certain files with insecure permissions, which could allow
local users to overwrite those files and execute arbitrary code.
======================================================
Candidate: CAN-2004-0908
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0908
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=257523
Mozilla
Firefox before the Preview Release, Mozilla before 1.7.3, and
Thunderbird before 0.8 allows untrusted Javascript code to read and
write to the clipboard, and possibly obtain sensitive information, via
Ctrl-Ins events.
======================================================
Candidate: CAN-2004-0909
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0909
Final-Decision:
Interim-Decision:
Modified:
Proposed:
Assigned: 20040923
Category: SF
Reference:
+CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz
+illa1.7.3
Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=253942
Mozilla
Firefox before the Preview Release, Mozilla before 1.7.3, and
Thunderbird before 0.8 may allow remote attackers to trick users into
performing unexpected actions, including installing software, via
signed scripts that request enhanced abilities using the
enablePrivilege parameter, then modify the meaning of certain
security-relevant dialog messages.
OK, I have integrated all patches into our 1.6 package now and will test it soon. There are two things left: http://bugzilla.mozilla.org/show_bug.cgi?id=253942 this seems to only affect Windows? Can someone confirm this? The patch does not fit into the 1.6 codebase so it would be cool if we could omit it. http://bugzilla.mozilla.org/show_bug.cgi?id=256316 The patch does change the Normalize() method which doesn't exist in 1.6. Don't know if we need this at all. Can someone please have a look at it? The patch for http://bugzilla.mozilla.org/show_bug.cgi?id=246448 seems to be broken. We have several bugreports for the last security update. It fix the security problem but created some new crasher bugs. I have to review it again until we can ship the new update. I was able to fix our introduced crasher bug with last security update. It was not the mentioned patch but another one causing this. Now we have only the following left: http://bugzilla.mozilla.org/show_bug.cgi?id=253942 http://bugzilla.mozilla.org/show_bug.cgi?id=256316 Please tell me how to proceed. So, if I understand correctly all except SL9.1 and SLES9 are fixed now, and there only the 2 bugs are open? The first one doesnt look very important but the second one (heap overflow) should somehoe be fixed. Might be I understood it wrong. You understood correctly. Only the 9.1/SLES9 packages are still missing and they are ready except these two patches which need more manual work. So I will try to find a way for the second now and will inform you about progress. Thanks. OK, after looking at the code changes I had the suspicion that 1.6 is not affected. And really it isn't! So I think we can submit the new package. I'm doing so now. Please provide the laufzettel and the patchinfo. and please note the bugfix for #45856 too. provided laufzettels (have been checked in already). ... package is now in maintenance queue... Wolfang, I really do not dare to ask, but what about the other Mozilla browsers (FireFox / FireBird ?) What do you want me to do? Backport the patches to 0.9.3 versions? Or creating 0.9.99 based on 0.10? I think that backporting should be possible this time. please do a backport if possible. I've just submitted firefox for 9.0 and 9.1 with the following patches: * Wrong file permissions after installing - #231083, #235781 * Javascript: link dragging - #250862 * Privilege request confusion - #253942 * BMP integer overflow - #255067 * non-ascii char in URL lead to heap overrun - #256316 * Javascript clipboard access - #257523 * Downloading link deletes files - #259708 (SUSE #46687) All others (mentioned on mozilla.org/security) do not affect firefox. This contains the last security bugfix introduced with 0.10.1 (last one in list) Please provide the patchinfo. Thanks all mozilla and MozillaFirefox are fixed now and should contain all security-fixes which were announced from mozilla.org can you please close this when all mozilla update have been approved by you Advisory has been released. CVE-2004-0909: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) |