Bugzilla – Bug 60640
VUL-0: CVE-2004-0909: new problems in mozilla
Last modified: 2021-09-27 09:04:56 UTC
Sorry, I am missing the initial mail, please add more valuable infos if you have them handy: Date: Fri, 17 Sep 2004 21:59:20 +0200 From: Wolfgang Rosenauer <stark@suse.de> Reply-To: security-team@suse.de To: Marcus Meissner <meissner@suse.de> Cc: security-team@suse.de Subject: [security-team] Re: Mozilla Security On 2004-09-17 at 13:10:35 +0200, Marcus Meissner wrote (shortened): > es gibt ja wieder ein neues (?) Mozilla Security Problem. > > Betrifft uns das? Mindestens für die SLES9 Version (1.6) betreffen uns wohl alle, die unter http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 zu finden sind. STABLE ist gefixt. Inwieweit die 1.4.x Versionen betroffen sind, kann ich nicht so einfach sagen. Ein paar sind da jedenfalls drin und wurden von Christopher Aillon von RedHat auch im 1.4 branch gefixt. Da könnten wir höchstwahrscheinlich aufspringen und die 1.4 basierten Produkte abfertigen. Die SLES9 Version macht mir aber Kopfzerbrechen. Das letzte Security-Update ist bezüglich JavaScript nicht unbedingt stabil. Es gibt mehrere Bugzilla-Einträge dafür. Wenn wir das wieder all backporten müssen, bräuchte ich etwas Hilfe. (Ich bin nächste Woche noch dazu im Urlaub) CU, Wolfgang
<!-- SBZ_reproduce --> ...
OK, please let me know which! bugs you want to have fixed in 1.4.x based products and which in 1.6 based ones. Please, please, don't say "all" ;-) The list in the URL above should list all fixed bugs which could be of interest. The following list is already stripped down to which affect us: http://bugzilla.mozilla.org/show_bug.cgi?id=258005 http://bugzilla.mozilla.org/show_bug.cgi?id=257523 http://bugzilla.mozilla.org/show_bug.cgi?id=253942 http://bugzilla.mozilla.org/show_bug.cgi?id=257314 http://bugzilla.mozilla.org/show_bug.cgi?id=255067 http://bugzilla.mozilla.org/show_bug.cgi?id=250862 http://bugzilla.mozilla.org/show_bug.cgi?id=256316 ( http://bugzilla.mozilla.org/show_bug.cgi?id=245066 http://bugzilla.mozilla.org/show_bug.cgi?id=226669 ) Please note that the security bug which was discussed on Heise about cookie sending to wrong servers are not fixed for mozilla and there is ongoing discussion in bugzilla.mozilla.org (don't know the number now) Please note that I'm on vacation this week and can't do much work therefore. But I will prepare the easier 1.4.x packages soon. We have to check 1.6 if the available patches work for the 1.6 tree.
for the record: the cookie thing is: http://bugzilla.mozilla.org/show_bug.cgi?id=252342
I have a patch for mozilla 1.4.x ready which fix the following ones: 258005 257314 255067 I don't know if the other ones are not fixed in CVS or they are not needed for this code-base. How to proceed?
From the security bugs (those except the ones in brackets), everything except 253942 looks important enough for a fix to me.
I have just submitted the 1.4.x versions for 8.1 (SLES8) 8.2 9.0 SLEC 1.6 packages make much more work than I can do in my vacation. So this can be "tried" next week.
Thanks.
The CANs are included below. I'll be adding other advisory references soon. Notice the MERGE of the heap-based overflows into a single CAN. This is one of the quirks of CVE's content decisions that only makes sense when you take a macro-level look at it. - Steve ====================================================== Candidate: CAN-2004-0902 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0902 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz+illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=258005 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=245066 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=226669 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=256316 Reference: CERT-VN:VU#327560 Reference: CERT-VN:VU#125776 Reference: CERT-VN:VU#808216 Reference: CERT:TA04-261A Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html Multiple heap-based buffer overflows in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via (1) the "Send page" functionality, (2) certain responses from a malicious POP3 server, or (3) a link containing a non-ASCII hostname. ====================================================== Candidate: CAN-2004-0903 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0903 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz +illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=257314 Reference: CERT:TA04-261A Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html Reference: CERT-VN:VU#414240 Reference: URL:http://www.kb.cert.org/vuls/id/414240 Stack-based buffer overflow in the writeGroup function in nsVCardObj.cpp for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to execute arbitrary code via malformed VCard attachments that are not properly handled when previewing a message. ====================================================== Candidate: CAN-2004-0904 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0904 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz +illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=255067 Reference: CERT:TA04-261A Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html Reference: CERT-VN:VU#847200 Reference: URL:http://www.kb.cert.org/vuls/id/847200 Integer overflow in the bitmap (BMP) decoder for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to execute arbitrary code via wide bitmap files that trigger heap-based buffer overflows. ====================================================== Candidate: CAN-2004-0905 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0905 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz +illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=250862 Reference: CERT-VN:VU#651928 Reference: URL:http://www.kb.cert.org/vuls/id/651928 Reference: CERT:TA04-261A Reference: URL:http://www.us-cert.gov/cas/techalerts/TA04-261A.html Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to perform cross-domain scripting and possible execute arbitrary code by convincing a user to drag javascript: links to a frame or page in another domain. ====================================================== Candidate: CAN-2004-0906 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0906 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz+illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=235781 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=231083 Reference: CERT-VN:VU#653160 Reference: URL:http://www.kb.cert.org/vuls/id/653160 Reference: BID:11192 Reference: URL:http://www.securityfocus.com/bid/11192 Reference: XF:mozilla-insecure-file-permissions(17375) Reference: URL:http://xforce.iss.net/xforce/xfdb/17375 Reference: MISC:http://secunia.com/advisories/12526/ The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code. ====================================================== Candidate: CAN-2004-0907 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0907 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz-+illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=254303 The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code. ====================================================== Candidate: CAN-2004-0908 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0908 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz+illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=257523 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via Ctrl-Ins events. ====================================================== Candidate: CAN-2004-0909 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0909 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20040923 Category: SF Reference: +CONFIRM:http://www.mozilla.org/projects/security/known-vulnerabilities.html#moz +illa1.7.3 Reference: CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=253942 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege parameter, then modify the meaning of certain security-relevant dialog messages.
OK, I have integrated all patches into our 1.6 package now and will test it soon. There are two things left: http://bugzilla.mozilla.org/show_bug.cgi?id=253942 this seems to only affect Windows? Can someone confirm this? The patch does not fit into the 1.6 codebase so it would be cool if we could omit it. http://bugzilla.mozilla.org/show_bug.cgi?id=256316 The patch does change the Normalize() method which doesn't exist in 1.6. Don't know if we need this at all. Can someone please have a look at it? The patch for http://bugzilla.mozilla.org/show_bug.cgi?id=246448 seems to be broken. We have several bugreports for the last security update. It fix the security problem but created some new crasher bugs. I have to review it again until we can ship the new update.
I was able to fix our introduced crasher bug with last security update. It was not the mentioned patch but another one causing this. Now we have only the following left: http://bugzilla.mozilla.org/show_bug.cgi?id=253942 http://bugzilla.mozilla.org/show_bug.cgi?id=256316 Please tell me how to proceed.
So, if I understand correctly all except SL9.1 and SLES9 are fixed now, and there only the 2 bugs are open? The first one doesnt look very important but the second one (heap overflow) should somehoe be fixed. Might be I understood it wrong.
You understood correctly. Only the 9.1/SLES9 packages are still missing and they are ready except these two patches which need more manual work. So I will try to find a way for the second now and will inform you about progress.
OK, after looking at the code changes I had the suspicion that 1.6 is not affected. And really it isn't! So I think we can submit the new package. I'm doing so now. Please provide the laufzettel and the patchinfo.
and please note the bugfix for #45856 too.
provided laufzettels (have been checked in already). ... package is now in maintenance queue... Wolfang, I really do not dare to ask, but what about the other Mozilla browsers (FireFox / FireBird ?)
What do you want me to do? Backport the patches to 0.9.3 versions? Or creating 0.9.99 based on 0.10? I think that backporting should be possible this time.
please do a backport if possible.
I've just submitted firefox for 9.0 and 9.1 with the following patches: * Wrong file permissions after installing - #231083, #235781 * Javascript: link dragging - #250862 * Privilege request confusion - #253942 * BMP integer overflow - #255067 * non-ascii char in URL lead to heap overrun - #256316 * Javascript clipboard access - #257523 * Downloading link deletes files - #259708 (SUSE #46687) All others (mentioned on mozilla.org/security) do not affect firefox. This contains the last security bugfix introduced with 0.10.1 (last one in list) Please provide the patchinfo. Thanks
all mozilla and MozillaFirefox are fixed now and should contain all security-fixes which were announced from mozilla.org
can you please close this when all mozilla update have been approved by you
Advisory has been released.
CVE-2004-0909: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)