Bugzilla – Bug 74445
VUL-0: CVE-2005-0593: current mozilla upgrade (1.7.7 / 1.0.3)
Last modified: 2021-10-27 16:00:29 UTC
Hello Wolfgang. The following text is from a redhat advisory. Can you please check when time permits whether we fixed all of the serious issues? A buffer overflow bug was found in the way Mozilla processes GIF images. It is possible for an attacker to create a specially crafted GIF image, which when viewed by a victim will execute arbitrary code as the victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0399 to this issue. A bug was found in the way Mozilla displays dialog windows. It is possible that a malicious web page which is being displayed in a background tab could present the user with a dialog window appearing to come from the active page. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1380 to this issue. A bug was found in the way Mozilla allowed plug-ins to load privileged content into a frame. It is possible that a malicious webpage could trick a user into clicking in certain places to modify configuration settings or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0232 to this issue. A bug was found in the way Mozilla Mail handles cookies when loading content over HTTP regardless of the user's preference. It is possible that a particular user could be tracked through the use of malicious mail messages which load content over HTTP. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0149 to this issue. A bug was found in the way Mozilla responds to proxy auth requests. It is possible for a malicious webserver to steal credentials from a victims browser by issuing a 407 proxy authentication request. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0147 to this issue. A bug was found in the way Mozilla handles certain start tags followed by a NULL character. A malicious web page could cause Mozilla to crash when viewed by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1613 to this issue. A bug was found in the way Mozilla sets file permissions when installing XPI packages. It is possible for an XPI package to install some files world readable or writable, allowing a malicious local user to steal information or execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0906 to this issue. A bug was found in the way Mozilla loads links in a new tab which are middle clicked. A malicious web page could read local files or modify privileged chrom settings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0141 to this issue. A bug was found in the way Mozilla displays the secure site icon. A malicious web page can use a view-source URL targetted at a secure page, while loading an insecure page, yet the secure site icon shows the previous secure state. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-0144 to this issue. A flaw was found in the way Firefox displays international domain names. It is possible for an attacker to display a valid URL, tricking the user into thinking they are viewing a legitimate webpage when they are not. (CAN-2005-0233) A bug was found in the way Firefox handles pop-up windows. It is possible for a malicious website to control the content in an unrelated site's pop-up window. (CAN-2004-1156) A bug was found in the way Mozilla displays the secure site icon. A malicious web page can display the secure site icon by loading a binary file from a secured site. (CAN-2005-0143) A bug was found in the way Firefox displays the download dialog window. A malicious site can obfuscate the content displayed in the source field, tricking a user into thinking they are downloading content from a trusted source. (CAN-2005-0585)
would it be OK to use http://www.mozilla.org/projects/security/known-vulnerabilities.html as reference? In that case let me handle Firefox first: (all are based on 1.0.1 and so containing all fixes up to 1.0.1 at least) 9.3: all fixed 9.2, 9.1, 9.0, NLD: missing: MFSA 2005-32 (CAN-2005-0401) Update requested? mozilla and Thunderbird will follow soon.
Err, the GIF overflow bug is not fixed either, right? This is more troublesome. (MFSA-2005-30)
the GIF overflow bug is fixed with latest updates ;-) see changes and sourcecode
I do not see it in the 9.2 firefox changes in /work/SRC/old-versions/9.2/all/MozillaFirefox/. at least not as such. but I think this bug is about mozilla ;)
Sat Mar 12 13:00:23 CET 2005 - stark@suse.de - more security-fixes from 1.0.1 branch (including bmo #284551, #284627, #285595) #285595 is the GIF overflow. And there is not much documentation because it was confidential at this time. This bug I think is for mozilla, MozillaFirefox and MozillaThunderbird as parts of the bugs are sharing the same code for all of them.
Wolfang, we have not yet released the mozilla suite updates for the IDN and other problems. Are the autobuild versions of the mozilla suite vcersion up to date? Use this prio list: - make sure mozilla suite versions are up to date in abuild, so we can release updates. (excepting sles9 currently) - make sure Thunderbird versions are up to date in abuild, I think we need to release updates. - make sure firefox is up to date.
Thanks for the list. One more question: Would it be an option to make version upgrades for thunderbird? I don't know yet if we can easily fix the 0.8 version. For Firefox only MFSA 2005-32 (CAN-2005-0401) is missing. So this should follow for all releases (except 9.3)?
Summary by Gentoo, contains more CAN numbers: * Mark Dowd from ISS X-Force reported an exploitable heap overrun in the GIF processing of obsolete Netscape extension 2 (CAN-2005-0399) * Michael Krax reported that plugins can be used to load privileged content and trick the user to interact with it (CAN-2005-0232, CAN-2005-0527) * Michael Krax also reported potential spoofing or cross-site-scripting issues through overlapping windows, image or scrollbar drag-and-drop, and by dropping javascript: links on tabs (CAN-2005-0230, CAN-2005-0231, CAN-2005-0401, CAN-2005-0591) * Daniel de Wildt and Gael Delalleau discovered a memory overwrite in a string library (CAN-2005-0255) * Wind Li discovered a possible heap overflow in UTF8 to Unicode conversion (CAN-2005-0592) * Eric Johanson reported that Internationalized Domain Name (IDN) features allow homograph attacks (CAN-2005-0233) * Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various ways of spoofing the SSL "secure site" indicator (CAN-2005-0593) * Georgi Guninski discovered that XSLT can include stylesheets from arbitrary hosts (CAN-2005-0588) * Secunia discovered a way of injecting content into a popup opened by another website (CAN-2004-1156) * Phil Ringnalda reported a possible way to spoof Install source with user:pass@host (CAN-2005-0590) * Jakob Balle from Secunia discovered a possible way of spoofing the Download dialog source (CAN-2005-0585) * Christian Schmidt reported a potential spoofing issue in HTTP auth prompt tab (CAN-2005-0584) * Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that Mozilla insecurely creates temporary filenames in /tmp/plugtmp (CAN-2005-0578)
All mozillas checked in... except the 9.1 one, which wasn't submitted. Wolfgang, doesn't the 9.1 also need the patch?
thanks, 9.1/SLES9/NLD will follow (hopefully) tomorrow. It's the most complex one because it's based on an unmaintained version. Most probably we have to leave some less important fixes out from the 9.1 version. I still hope that we get a version upgrade with SP2.
Status: We have shipped updates for: firefox: all affected mozilla suite: 9.2 and 9.3 Missing: 8.2, 9.0, 9.1, suse linux desktop 1, sles 8.
released.
CVE-2005-0593: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)