Bugzilla – Bug 58569
VUL-0: CVE-2004-0762: Mozilla SOAP integer overflow
Last modified: 2021-10-02 09:47:43 UTC
Date: Mon, 2 Aug 2004 14:50:39 -0400 From: idlabs-advisories@idefense.com Reply-To: customerservice@idefense.com To: idlabs-advisories@idefense.com Subject: [Full-Disclosure] iDEFENSE Security Advisory 08.02.04: Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability www.idefense.com/application/poi/display?id=117&type=vulnerabilities August 2, 2004 iDEFENSE Security Advisory 08.02.04: I. BACKGROUND SOAP is an XML-based messaging protocol which defines a set of rules for structuring messages, and can be used for web based applications. II. DESCRIPTION Improper input validation to the SOAPParameter object constructor in Netscape and Mozilla allows execution of arbitrary code. The SOAPParameter object's constructor contains an integer overflow which allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code. III. ANALYSIS Successful exploitation allows the remote attacker to execute arbitrary code in the context of the user running the browser. IV. DETECTION Netscape version 7.0 and 7.1 have been confirmed to be vulnerable. Mozilla 1.6 is also vulnerable to this issue. It is suspected that earlier versions of both browsers may also be vulnerable. Netscape 7.1 is the latest version of Netscape available. Netscape have not released any information indicating they are intending to release future versions of the Netscape browser, and no longer have any developers working on this project. The latest release of the Mozilla browser, 1.7.1, is not affected by this vulnerability. The Mozilla browser may be considered as an alternative to Netscape. V. WORKAROUNDS Disable Javascript in the browser. Consider upgrading to the latest version of Mozilla. VI. VENDOR RESPONSE Mozilla 1.7.1 is available for download at: http://www.mozilla.org/products/mozilla1.x/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0722 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/17/2004 Exploit acquired by iDEFENSE. 03/05/2004 Bug sent to Netscape Security Bug form at http://cgi.netscape.com/cgi-bin/bug-security.cgi 03/05/2004 Bug entered into bugzilla.mozilla.org http://bugzilla.mozilla.org/show_bug.cgi?id=236618 03/05/2004 iDEFENSE clients notified 07/09/2004 Patch submitted into Mozilla source tree. http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22 08/02/2004 Public disclosure IX. CREDIT zen-parse (zen-parse at gmx.net) is credited with this discovery. X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
<!-- SBZ_reproduce --> ...
I have a mozilla 1.4.1 package (which is almost 1.4.3) with the following fixes: CAN-2004-0597 CAN-2004-0718 CAN-2004-0722 (#43569) CAN-2004-0757 CAN-2004-0758 CAN-2004-0759 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 (#43312) CAN-2004-0764 CAN-2004-0765 that means the following status for this bug: 8.1 ready 8.2 ? 9.0 ready 9.1 ready SLES8 ready SLEC ready SLES9 ready
great, so only SL 8.2 is left. Iam writing laufzettel.
There is already a laufzettel for the other security thing. Could you please consolidate with Thomas Biege? We need only one Laufzettel IMHO.
the problem for SLES9 at this time is that I don't have an overview anymore which security-fixes we need in. We have a few in our bugzilla but the list above is valid for mozilla 1.6, too. So security-team should write up a list which fixes are needed for 1.6 (and perhaps help me a bit to get them in the 1.6 sources.
Hm I just took over the incident managment this week, Thomas, which cases havbeen there with mozilla and SLES9 ?
I merged the LZ's.
comment #6, i just made bug 58312 but it includes patchinfos with a full list of bugs. maybe it's a good idea to open a new bug entry for all bugs and make the other a duplicate of the new one.
for completeness: http://bugzilla.mozilla.org/show_bug.cgi?id=236618
Last status from Wolfgang: 8.1 / SLES8 / SLEC / 9.0 (Mozilla 1.4.1) fertig, eingecheckt und in QA. Das Patchinfo für Box ist noch nicht abgegeben, weil 9.1 und 8.2! noch fehlt. 9.1 / SLES9 (Mozilla 1.6) bis auf den einen Patch alles vorhanden, wobei der Build-Test noch nicht fertig ist. 9.0 / 9.1 (Firefox) Paket fertig, Freigabe von aj für Versionsupdate aber leider noch keine gute Lösung für das xhost Problem. 8.2 (Mozilla 1.2.1) kein Paket, da 1.2.1 Patches "almost impossible" Uns fehlt also für 8.2 eine Lösung. Sowie beim 1.6 das Problem mit obigem Patch.
We will close it. Almost all mozilla/firebird packages are released now.
CVE-2004-0762: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)