Bug 74445 (CVE-2005-0593)

Summary: VUL-0: CVE-2005-0593: current mozilla upgrade (1.7.7 / 1.0.3)
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Wolfgang Rosenauer <wolfgang.rosenauer>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-0593: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2004-0906:4.6:(AV:L/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2005-03-24 11:16:01 UTC 
Hello Wolfgang. The following text is from a redhat advisory. Can you please 
check when time permits whether we fixed all of the serious issues? 
 
A buffer overflow bug was found in the way Mozilla processes GIF images. It 
is possible for an attacker to create a specially crafted GIF image, which 
when viewed by a victim will execute arbitrary code as the victim. The 
Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned 
the name CAN-2005-0399 to this issue. 
 
A bug was found in the way Mozilla displays dialog windows. It is possible 
that a malicious web page which is being displayed in a background tab 
could present the user with a dialog window appearing to come from the 
active page. The Common Vulnerabilities and Exposures project 
(cve.mitre.org) has assigned the name CAN-2004-1380 to this issue. 
 
A bug was found in the way Mozilla allowed plug-ins to load privileged 
content into a frame. It is possible that a malicious webpage could trick a 
user into clicking in certain places to modify configuration settings or 
execute arbitrary code. The Common Vulnerabilities and Exposures project 
(cve.mitre.org) has assigned the name CAN-2005-0232 to this issue. 
 
A bug was found in the way Mozilla Mail handles cookies when loading 
content over HTTP regardless of the user's preference. It is possible that 
a particular user could be tracked through the use of malicious mail 
messages which load content over HTTP. The Common Vulnerabilities and 
Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to 
this issue. 
 
A bug was found in the way Mozilla responds to proxy auth requests. It is 
possible for a malicious webserver to steal credentials from a victims 
browser by issuing a 407 proxy authentication request. The Common 
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name 
CAN-2005-0147 to this issue. 
 
A bug was found in the way Mozilla handles certain start tags followed by a 
NULL character. A malicious web page could cause Mozilla to crash when 
viewed by a victim. The Common Vulnerabilities and Exposures project 
(cve.mitre.org) has assigned the name CAN-2004-1613 to this issue. 
 
A bug was found in the way Mozilla sets file permissions when installing 
XPI packages. It is possible for an XPI package to install some files 
world readable or writable, allowing a malicious local user to steal 
information or execute arbitrary code. The Common Vulnerabilities and 
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to 
this issue. 
 
A bug was found in the way Mozilla loads links in a new tab which are 
middle clicked. A malicious web page could read local files or modify 
privileged chrom settings. The Common Vulnerabilities and Exposures project 
(cve.mitre.org) has assigned the name CAN-2005-0141 to this issue. 
 
A bug was found in the way Mozilla displays the secure site icon. A 
malicious web page can use a view-source URL targetted at a secure page, 
while loading an insecure page, yet the secure site icon shows the previous 
secure state. The Common Vulnerabilities and Exposures project 
(cve.mitre.org) has assigned the name CAN-2005-0144 to this issue. 
 
A flaw was found in the way Firefox displays international domain names. It 
is possible for an attacker to display a valid URL, tricking the user into 
thinking they are viewing a legitimate webpage when they are not. 
(CAN-2005-0233) 
 
A bug was found in the way Firefox handles pop-up windows. It is possible 
for a malicious website to control the content in an unrelated site's 
pop-up window. (CAN-2004-1156) 
 
A bug was found in the way Mozilla displays the secure site icon. A 
malicious web page can display the secure site icon by loading a binary 
file from a secured site. (CAN-2005-0143) 
 
A bug was found in the way Firefox displays the download dialog window. A 
malicious site can obfuscate the content displayed in the source field, 
tricking a user into thinking they are downloading content from a trusted 
source. (CAN-2005-0585)
Comment 1 Wolfgang Rosenauer 2005-03-24 11:35:15 UTC 
would it be OK to use
http://www.mozilla.org/projects/security/known-vulnerabilities.html as reference?

In that case let me handle Firefox first: (all are based on 1.0.1 and so
containing all fixes up to 1.0.1 at least)
9.3: all fixed
9.2, 9.1, 9.0, NLD: 
missing: MFSA 2005-32 (CAN-2005-0401)

Update requested?

mozilla and Thunderbird will follow soon.
Comment 2 Marcus Meissner 2005-03-24 11:58:59 UTC 
 
Err, the GIF overflow bug is not fixed either, right? This is more 
troublesome. (MFSA-2005-30)
Comment 3 Wolfgang Rosenauer 2005-03-24 12:07:33 UTC 
the GIF overflow bug is fixed with latest updates ;-) see changes and sourcecode
Comment 4 Marcus Meissner 2005-03-24 12:12:28 UTC 
I do not see it in the 9.2 firefox changes 
in /work/SRC/old-versions/9.2/all/MozillaFirefox/. at least not as such. 
 
 
but I think this bug is about mozilla ;)
Comment 5 Wolfgang Rosenauer 2005-03-24 12:46:29 UTC 
Sat Mar 12 13:00:23 CET 2005 - stark@suse.de

- more security-fixes from 1.0.1 branch (including
  bmo #284551, #284627, #285595)

#285595 is the GIF overflow. And there is not much documentation because it was
confidential at this time.
This bug I think is for mozilla, MozillaFirefox and MozillaThunderbird as parts
of the bugs are sharing the same code for all of them.
Comment 6 Marcus Meissner 2005-03-24 13:35:45 UTC 
Wolfang, 
 
we have not yet released the mozilla suite updates for the IDN and 
other problems. 
 
Are the autobuild versions of the mozilla suite vcersion up to date? 
 
Use this prio list: 
 
- make sure mozilla suite versions are up to date in abuild, so we can 
  release updates. (excepting sles9 currently) 
- make sure Thunderbird versions are up to date in abuild, I think we need to 
  release updates. 
- make sure firefox is up to date.
Comment 7 Wolfgang Rosenauer 2005-03-24 13:47:38 UTC 
Thanks for the list.
One more question: Would it be an option to make version upgrades for thunderbird?
I don't know yet if we can easily fix the 0.8 version.
For Firefox only MFSA 2005-32 (CAN-2005-0401) is missing. So this should follow
for all releases (except 9.3)?
Comment 8 Ludwig Nussel 2005-03-29 09:58:59 UTC 
Summary by Gentoo, contains more CAN numbers: 
 
* Mark Dowd from ISS X-Force reported an exploitable heap overrun in 
  the GIF processing of obsolete Netscape extension 2 (CAN-2005-0399) 
 
* Michael Krax reported that plugins can be used to load privileged 
  content and trick the user to interact with it (CAN-2005-0232, 
  CAN-2005-0527) 
 
* Michael Krax also reported potential spoofing or 
  cross-site-scripting issues through overlapping windows, image or 
  scrollbar drag-and-drop, and by dropping javascript: links on tabs 
  (CAN-2005-0230, CAN-2005-0231, CAN-2005-0401, CAN-2005-0591) 
 
* Daniel de Wildt and Gael Delalleau discovered a memory overwrite in 
  a string library (CAN-2005-0255) 
 
* Wind Li discovered a possible heap overflow in UTF8 to Unicode 
  conversion (CAN-2005-0592) 
 
* Eric Johanson reported that Internationalized Domain Name (IDN) 
  features allow homograph attacks (CAN-2005-0233) 
 
* Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various 
  ways of spoofing the SSL "secure site" indicator (CAN-2005-0593) 
 
* Georgi Guninski discovered that XSLT can include stylesheets from 
  arbitrary hosts (CAN-2005-0588) 
 
* Secunia discovered a way of injecting content into a popup opened 
  by another website (CAN-2004-1156) 
 
* Phil Ringnalda reported a possible way to spoof Install source with 
  user:pass@host (CAN-2005-0590) 
 
* Jakob Balle from Secunia discovered a possible way of spoofing the 
  Download dialog source (CAN-2005-0585) 
 
* Christian Schmidt reported a potential spoofing issue in HTTP auth 
  prompt tab (CAN-2005-0584) 
 
* Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team 
  discovered that Mozilla insecurely creates temporary filenames in 
  /tmp/plugtmp (CAN-2005-0578)
Comment 9 Michael Schröder 2005-03-30 14:53:37 UTC 
All mozillas checked in... except the 9.1 one, which wasn't submitted. 
Wolfgang, doesn't the 9.1 also need the patch?
Comment 10 Wolfgang Rosenauer 2005-03-30 17:04:50 UTC 
thanks, 9.1/SLES9/NLD will follow (hopefully) tomorrow. It's the most complex
one because it's based on an unmaintained version. Most probably we have to
leave some less important fixes out from the 9.1 version. I still hope that we
get a version upgrade with SP2.
Comment 11 Marcus Meissner 2005-04-27 16:11:48 UTC 
Status: 
 
We have shipped updates for: 
 
firefox: all affected 
mozilla suite: 9.2 and 9.3 
 
Missing: 8.2, 9.0, 9.1, suse linux desktop 1, sles 8.
Comment 12 Marcus Meissner 2005-08-11 14:33:37 UTC 
released.
Comment 13 Thomas Biege 2009-10-13 21:13:29 UTC 
CVE-2005-0593: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)