1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
|
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="200805-18">
<title>Mozilla products: Multiple vulnerabilities</title>
<synopsis>
Multiple vulnerabilities have been reported in Mozilla Firefox,
Thunderbird, SeaMonkey and XULRunner, some of which may allow user-assisted
execution of arbitrary code.
</synopsis>
<product type="ebuild">mozilla-firefox mozilla-firefox-bin seamonkey seamonkey-bin mozilla-thunderbird mozilla-thunderbird-bin xulrunner</product>
<announced>2008-05-20</announced>
<revised count="01">2008-05-20</revised>
<bug>208128</bug>
<bug>214816</bug>
<bug>218065</bug>
<access>remote</access>
<affected>
<package name="www-client/mozilla-firefox" auto="yes" arch="*">
<unaffected range="ge">2.0.0.14</unaffected>
<vulnerable range="lt">2.0.0.14</vulnerable>
</package>
<package name="www-client/mozilla-firefox-bin" auto="yes" arch="*">
<unaffected range="ge">2.0.0.14</unaffected>
<vulnerable range="lt">2.0.0.14</vulnerable>
</package>
<package name="mail-client/mozilla-thunderbird" auto="yes" arch="*">
<unaffected range="ge">2.0.0.14</unaffected>
<vulnerable range="lt">2.0.0.14</vulnerable>
</package>
<package name="mail-client/mozilla-thunderbird-bin" auto="yes" arch="*">
<unaffected range="ge">2.0.0.14</unaffected>
<vulnerable range="lt">2.0.0.14</vulnerable>
</package>
<package name="www-client/seamonkey" auto="yes" arch="*">
<unaffected range="ge">1.1.9-r1</unaffected>
<vulnerable range="lt">1.1.9-r1</vulnerable>
</package>
<package name="www-client/seamonkey-bin" auto="yes" arch="*">
<unaffected range="ge">1.1.9</unaffected>
<vulnerable range="lt">1.1.9</vulnerable>
</package>
<package name="net-libs/xulrunner" auto="yes" arch="*">
<unaffected range="ge">1.8.1.14</unaffected>
<vulnerable range="lt">1.8.1.14</vulnerable>
</package>
</affected>
<background>
<p>
Mozilla Firefox is an open-source web browser and Mozilla Thunderbird
an open-source email client, both from the Mozilla Project. The
SeaMonkey project is a community effort to deliver production-quality
releases of code derived from the application formerly known as the
'Mozilla Application Suite'. XULRunner is a Mozilla runtime package
that can be used to bootstrap XUL+XPCOM applications like Firefox and
Thunderbird.
</p>
</background>
<description>
<p>
The following vulnerabilities were reported in all mentioned Mozilla
products:
</p>
<ul>
<li>
Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and Paul
Nickerson reported browser crashes related to JavaScript methods,
possibly triggering memory corruption (CVE-2008-0412).
</li>
<li>
Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown,
Philip Taylor, and tgirmann reported crashes in the JavaScript engine,
possibly triggering memory corruption (CVE-2008-0413).
</li>
<li>
David Bloom discovered a vulnerability in the way images are treated by
the browser when a user leaves a page, possibly triggering memory
corruption (CVE-2008-0419).
</li>
<li>
moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series of
privilege escalation vulnerabilities related to JavaScript
(CVE-2008-1233, CVE-2008-1234, CVE-2008-1235).
</li>
<li>
Mozilla developers identified browser crashes caused by the layout and
JavaScript engines, possibly triggering memory corruption
(CVE-2008-1236, CVE-2008-1237).
</li>
<li>
moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape from
its sandboxed context and run with chrome privileges, and inject script
content into another site, violating the browser's same origin policy
(CVE-2008-0415).
</li>
<li>
Gerry Eisenhaur discovered a directory traversal vulnerability when
using "flat" addons (CVE-2008-0418).
</li>
<li>
Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported
multiple character handling flaws related to the backspace character,
the "0x80" character, involving zero-length non-ASCII sequences in
multiple character sets, that could facilitate Cross-Site Scripting
attacks (CVE-2008-0416).
</li>
</ul> <p>
The following vulnerability was reported in Thunderbird and SeaMonkey:
</p>
<ul>
<li>
regenrecht (via iDefense) reported a heap-based buffer overflow when
rendering an email message with an external MIME body (CVE-2008-0304).
</li>
</ul> <p>
The following vulnerabilities were reported in Firefox, SeaMonkey and
XULRunner:
</p>
<ul>
<li>The fix for CVE-2008-1237 in Firefox 2.0.0.13
and SeaMonkey 1.1.9 introduced a new crash vulnerability
(CVE-2008-1380).</li>
<li>hong and Gregory Fleischer each reported a
variant on earlier reported bugs regarding focus shifting in file input
controls (CVE-2008-0414).
</li>
<li>
Gynvael Coldwind (Vexillium) discovered that BMP images could be used
to reveal uninitialized memory, and that this data could be extracted
using a "canvas" feature (CVE-2008-0420).
</li>
<li>
Chris Thomas reported that background tabs could create a borderless
XUL pop-up in front of pages in other tabs (CVE-2008-1241).
</li>
<li>
oo.rio.oo discovered that a plain text file with a
"Content-Disposition: attachment" prevents Firefox from rendering
future plain text files within the browser (CVE-2008-0592).
</li>
<li>
Martin Straka reported that the ".href" property of stylesheet DOM
nodes is modified to the final URI of a 302 redirect, bypassing the
same origin policy (CVE-2008-0593).
</li>
<li>
Gregory Fleischer discovered that under certain circumstances, leading
characters from the hostname part of the "Referer:" HTTP header are
removed (CVE-2008-1238).
</li>
<li>
Peter Brodersen and Alexander Klink reported that the browser
automatically selected and sent a client certificate when SSL Client
Authentication is requested by a server (CVE-2007-4879).
</li>
<li>
Gregory Fleischer reported that web content fetched via the "jar:"
protocol was not subject to network access restrictions
(CVE-2008-1240).
</li>
</ul> <p>
The following vulnerabilities were reported in Firefox:
</p>
<ul>
<li>
Justin Dolske discovered a CRLF injection vulnerability when storing
passwords (CVE-2008-0417).
</li>
<li>
Michal Zalewski discovered that Firefox does not properly manage a
delay timer used in confirmation dialogs (CVE-2008-0591).
</li>
<li>
Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery
warning dialog is not displayed if the entire contents of a web page
are in a DIV tag that uses absolute positioning (CVE-2008-0594).
</li>
</ul>
</description>
<impact type="normal">
<p>
A remote attacker could entice a user to view a specially crafted web
page or email that will trigger one of the vulnerabilities, possibly
leading to the execution of arbitrary code or a Denial of Service. It
is also possible for an attacker to trick a user to upload arbitrary
files when submitting a form, to corrupt saved passwords for other
sites, to steal login credentials, or to conduct Cross-Site Scripting
and Cross-Site Request Forgery attacks.
</p>
</impact>
<workaround>
<p>
There is no known workaround at this time.
</p>
</workaround>
<resolution>
<p>
All Mozilla Firefox users should upgrade to the latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-2.0.0.14"</code>
<p>
All Mozilla Firefox binary users should upgrade to the latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-2.0.0.14"</code>
<p>
All Mozilla Thunderbird users should upgrade to the latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-2.0.0.14"</code>
<p>
All Mozilla Thunderbird binary users should upgrade to the latest
version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-2.0.0.14"</code>
<p>
All SeaMonkey users should upgrade to the latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.1.9-r1"</code>
<p>
All SeaMonkey binary users should upgrade to the latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/seamonkey-bin-1.1.9"</code>
<p>
All XULRunner users should upgrade to the latest version:
</p>
<code>
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/xulrunner-1.8.1.14"</code>
<p>
NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in
the SeaMonkey binary ebuild, as no precompiled packages have been
released. Until an update is available, we recommend all SeaMonkey
users to disable JavaScript, use Firefox for JavaScript-enabled
browsing, or switch to the SeaMonkey source ebuild.
</p>
</resolution>
<references>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4879">CVE-2007-4879</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0304">CVE-2008-0304</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0412">CVE-2008-0412</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0413">CVE-2008-0413</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0414">CVE-2008-0414</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0415">CVE-2008-0415</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0416">CVE-2008-0416</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0417">CVE-2008-0417</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0418">CVE-2008-0418</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0419">CVE-2008-0419</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0420">CVE-2008-0420</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0591">CVE-2008-0591</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0592">CVE-2008-0592</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0593">CVE-2008-0593</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0594">CVE-2008-0594</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1233">CVE-2008-1233</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1234">CVE-2008-1234</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1235">CVE-2008-1235</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1236">CVE-2008-1236</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1237">CVE-2008-1237</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1238">CVE-2008-1238</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1240">CVE-2008-1240</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1241">CVE-2008-1241</uri>
<uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1380">CVE-2008-1380</uri>
</references>
<metadata tag="submitter" timestamp="2008-03-27T03:40:04Z">
rbu
</metadata>
<metadata tag="bugReady" timestamp="2008-05-20T21:13:08Z">
rbu
</metadata>
</glsa>
|