Bug 75692 - (CVE-2005-1160) VUL-0: CVE-2005-1160: severe security bugs in mozilla/firefox
(CVE-2005-1160)
VUL-0: CVE-2005-1160: severe security bugs in mozilla/firefox
Status: RESOLVED FIXED
: 79005 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other SUSE Other
: P5 - None : Critical
: ---
Assigned To: Wolfgang Rosenauer
Security Team bot
CVE-2005-1160: CVSS v2 Base Score: 5....
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-02 10:41 UTC by Wolfgang Rosenauer
Modified: 2021-11-08 10:29 UTC (History)
2 users (show)

See Also:
Found By: Third Party Developer/Partner
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Rosenauer 2005-04-02 10:41:50 UTC
https://bugzilla.mozilla.org/show_bug.cgi?id=288688
https://bugzilla.mozilla.org/show_bug.cgi?id=288608

allows reading arbitrary chunks of memory. Not much control over what
you get, but snippets of urls and page contents (including gmail, for
example) that might prove valuable. chrome urls and property files have
shown up, too, presumably a password would end up in there sooner or later.

https://bugzilla.mozilla.org/show_bug.cgi?id=288556
A "manual" plugin install can run javascript w/chrome privs.
Comment 1 Wolfgang Rosenauer 2005-04-02 10:43:42 UTC
more description:

A) Bug #288556: "Manual plug-in install, javascript vulnerability"
Description: Manual plug-in install can run JavaScript w/ chrome priveleges
(e.g. change user's homepage).
Assessment: dveditz. Highly Critical.  Warrants respin.
Reporter: Omar Khan; mromarkhan@gmail.com
security

B) Bug #288688: "Access memory vulnerability"
Description:  Reading of arbitrary chunks of memory. Not much control over what
you get, but snippets of urls and page contents (including gmail, for example)
can be recorded that might prove valuable. chrome urls and property files have
shown up, too, presumably a password would end up in there sooner or later.
Assessment: dveditz. tbd.  Does not warrant respin
Reporter: http://cubic.xfo.org.ru/firefox-bug/index.html; Vladimir V.
Perepelista, inthrax@list.ru
Public
Comment 2 Wolfgang Rosenauer 2005-04-02 10:47:07 UTC
mozilla.org will release a firefox 1.0.3 version and mozilla 1.7.7.
For mozilla we should leave our version numbers IMHO but I expect that NLD team
will want anyway for Firefox the version 1.0.3. Version change approved for SUSE
Linux?
Comment 3 Wolfgang Rosenauer 2005-04-02 10:51:33 UTC
firefox 1.0.3 only has 4 bugs fixed (the two above, 1 only for MacOS X and one
in the installer (which we don't use)). So no more changes which could break
anything.
Comment 4 Marcus Meissner 2005-04-04 09:48:06 UTC
swampid: 809 
Comment 5 Marcus Meissner 2005-04-04 10:06:04 UTC
i am using this patchinfo text: 
This update contains the security fixes done for Mozilla Firefox 1.0.3 
release, including: 
 
- A flaw in the JavaScript regular expression handling of Mozilla based 
  browser can lead to disclosure of browser memory, potentially exposing 
  private data from webpages viewed or passwords or similar data sent 
  to other webpages. 
  This flaw could also crash the browser. 
 
- With manual plugin install it was possible for the plugin to execute 
  javascript code with the installing users privileges. 
DESCRIPTION_DE: 
Dieses Update beinhaltet die Sicherheitsfixes für die Mozilla Firefox 
1.0.3 Version, insbesondere: 
 
- Ein Fehler in der JavaScript Regular Expressions Implementierung 
  von Mozilla erlaubt es Speicher des Browsers zu lesen, was potentiell 
  entfernten Angreifern mittels spezieller Webpages erlaubt private 
  Daten aus anderen Mozilla Fenstern / Webseiten des Benutzers zu lesen. 
  Auch kann der Browser durch diesen Fehler abstürzen. 
   
   
- Mit manueller Plugin Installation war es dem Plugin möglich JavaScript 
  Code mit Benutzerrechten auszuführen. 
 
Comment 6 Wolfgang Rosenauer 2005-04-06 04:28:44 UTC
we will get more security fixes within the update:
For now:
https://bugzilla.mozilla.org/show_bug.cgi?id=244177
"nsScanner::Append() can overwrite the storage in the buffer it allocates."

current CVE mapping:
CAN-2005-0751 Mozilla bug 244177
CAN-2005-0752 Mozilla bug 288556

Firefox 1.0.3 and 1.1 has been postponed because of 7 new bugreports concerning
security bugs.
Comment 7 Wolfgang Rosenauer 2005-04-07 05:43:28 UTC
CAN-2005-0989  Mozilla bug 288688
Comment 8 Wolfgang Rosenauer 2005-04-16 19:33:22 UTC
OK, here is a list of the security bugs fixed in firefox 1.0.3 and mozilla 1.7.7:

MFSA 2005-33 Javascript "lambda" replace exposes memory contents CAN-2005-0989
MFSA 2005-34 javascript: PLUGINSPAGE code execution CAN-2005-0752
MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context
MFSA 2005-36 Cross-site scripting through global scope pollution
MFSA 2005-37 Code execution through javascript: favicons
MFSA 2005-38 Search plugin cross-site scripting
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II
MFSA 2005-40 Missing Install object instance checks
MFSA 2005-41 Privilege escalation via DOM property overrides
Comment 9 Wolfgang Rosenauer 2005-04-16 19:50:47 UTC
I still don't know if I am allowed to make a version upgrade for 9.0-9.3.
Andreas?
Then we would have two more possibilities:
1. just exchange the source archive for older version
2. move all previous packages to current (read 9.3) package with
   all improvements we made
Comment 10 Wolfgang Rosenauer 2005-04-16 20:12:28 UTC
Kelli, we have the fixed version already checked in for NLD SP2.
How to proceed in terms of the security fix before SP2?
We could just release the current SP2 package before SP2 or we could just take
the 1.0.3 sources but without all our improvements around the package for SP2.
Comment 11 Andreas Jaeger 2005-04-17 06:13:57 UTC
Regarding #9 and SUSE Linux: You're allowed to do the upgrade and I propose to
use 2.
Comment 12 Marcus Meissner 2005-04-18 10:48:14 UTC
andreas, can we upgrade the mozilla suite packages too where possible? 
Comment 13 Andreas Jaeger 2005-04-18 11:45:20 UTC
Let's just not do more than *one* version update every 6 months.  So, if you
think it's needed now to make your life easier for the next 6 months, then go ahead.
Comment 14 Wolfgang Rosenauer 2005-04-18 12:06:55 UTC
thanks Andreas. The point here is that we would like to update the 9.1 version
from 1.6 to 1.7.7. If we do this, it might be good to have the later versions on
1.7.7 in addition. In fact it doesn't make much difference code-wise. If we
would take all security fixes between 1.7.2 or 1.7.5 we shipped we have almost
1.7.7 anyway. It's only a matter of testing the dependencies.
Comment 15 Marcus Meissner 2005-04-18 12:18:13 UTC
the 9.1/sles9 version upgrade was already approved by both rf and aj. 
 
 
I think we can leave mozilla of the other products at their current version 
for now and save the upgrade option for some later time. 
Comment 16 Marcus Meissner 2005-04-19 13:38:04 UTC
will use this patchinfo description: 
This update contains the security fixes done for Mozilla Firefox 1.0.3 
release, including: 
 
- MFSA 2005-33,CAN-2005-0989: 
  A flaw in the JavaScript regular expression handling of Mozilla based 
  browser can lead to disclosure of browser memory, potentially exposing 
  private data from webpages viewed or passwords or similar data sent 
  to other webpages. 
  This flaw could also crash the browser. 
 
- MFSA 2005-34,CAN-2005-0752: 
  With manual plugin install it was possible for the plugin to execute 
  javascript code with the installing users privileges. 
 
- MFSA 2005-35,CAN-2005-1153: 
  Showing blocked javascript: popup uses wrong privilege context, this 
  could be used for a privilege escalation (installing malicious plugins). 
 
- MFSA 2005-36,CAN-2005-1154: 
  Cross-site scripting through global scope pollution, this could 
  lead to an attacker being able to run code in foreign websites context, 
  potentially sniffing information or performing actions in that context. 
 
- MFSA 2005-37,CAN-2005-1155,"firelinking": 
  Code execution through javascript: favicons, which could be used 
  for a privilege escalation. 
 
- MFSA 2005-38,CAN-2005-1157,CAN-2005-1156,"firesearching": 
  Search plugin cross-site scripting. 
 
- MFSA 2005-39,CAN-2005-1158: 
  Arbitrary code execution from Firefox sidebar panel II. 
 
- MFSA 2005-40,CAN-2005-1159: 
  Missing Install object instance checks. 
 
- MFSA 2005-41,CAN-2005-1160: 
  Privilege escalation via DOM property overrides. 
 
Comment 17 Wolfgang Rosenauer 2005-04-21 05:44:04 UTC
*** Bug 79005 has been marked as a duplicate of this bug. ***
Comment 18 Marcus Meissner 2005-04-28 09:15:16 UTC
most mozillas fixed, rest is mentioned in tracking bug 
Comment 19 Thomas Biege 2009-10-13 21:15:10 UTC
CVE-2005-1160: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)