LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 27th, 2014
Linux Advisory Watch: October 24th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Gentoo: Mozilla Suite, Mozilla Firefox Multiple Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Gentoo This advisory was originally released to fix the heap overflow in IDN headers. However, the official fixed release included several other security fixes as well.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [UPDATE]               GLSA 200509-11:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities
      Date: September 18, 2005
   Updated: September 29, 2005
      Bugs: #105396
        ID: 200509-11:02

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Update
======

This advisory was originally released to fix the heap overflow in IDN
headers. However, the official fixed release included several other
security fixes as well.

The updated sections appear below.

Synopsis
========

Mozilla Suite and Firefox are vulnerable to multiple issues, including
some that might be exploited to execute arbitrary code.

Background
==========

The Mozilla Suite is a popular all-in-one web browser that includes a
mail and news reader. Mozilla Firefox is the next-generation browser
from the Mozilla project. Gecko is the layout engine used in both
products.

Affected packages
=================

    -------------------------------------------------------------------
     Package                         /   Vulnerable   /     Unaffected
    -------------------------------------------------------------------
  1  www-client/mozilla-firefox          < 1.0.7-r2        >= 1.0.7-r2
  2  www-client/mozilla                  < 1.7.12-r2      >= 1.7.12-r2
  3  www-client/mozilla-firefox-bin        < 1.0.7            >= 1.0.7
  4  www-client/mozilla-bin               < 1.7.12           >= 1.7.12
  5  net-libs/gecko-sdk                   < 1.7.12           >= 1.7.12
    -------------------------------------------------------------------
     5 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

The Mozilla Suite and Firefox are both vulnerable to the following
issues:

* Tom Ferris reported a heap overflow in IDN-enabled browsers with
  malicious Host: headers (CAN-2005-2871).

* "jackerror" discovered a heap overrun in XBM image processing
  (CAN-2005-2701).

* Mats Palmgren reported a potentially exploitable stack corruption
  using specific Unicode sequences (CAN-2005-2702).

* Georgi Guninski discovered an integer overflow in the JavaScript
  engine (CAN-2005-2705)

* Other issues ranging from DOM object spoofing to request header
  spoofing were also found and fixed in the latest versions
  (CAN-2005-2703, CAN-2005-2704, CAN-2005-2706, CAN-2005-2707).

The Gecko engine in itself is also affected by some of these issues and
has been updated as well.

Impact
======

A remote attacker could setup a malicious site and entice a victim to
visit it, potentially resulting in arbitrary code execution with the
victim's privileges or facilitated spoofing of known websites.

Workaround
==========

There is no known workaround for all the issues.

Resolution
==========

All Mozilla Firefox users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
">=www-client/mozilla-firefox-1.0.7-r2"

All Mozilla Suite users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.12-r2"

All Mozilla Firefox binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
">=www-client/mozilla-firefox-bin-1.0.7"

All Mozilla Suite binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.12"

All Gecko library users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-libs/gecko-sdk-1.7.12"

References
==========

  [ 1 ] CAN-2005-2701
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701
  [ 2 ] CAN-2005-2702
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702
  [ 3 ] CAN-2005-2703
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703
  [ 4 ] CAN-2005-2704
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704
  [ 5 ] CAN-2005-2705
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705
  [ 6 ] CAN-2005-2706
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706
  [ 7 ] CAN-2005-2707
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707
  [ 8 ] CAN-2005-2871
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2871
  [ 9 ] Mozilla Foundation Security Advisories
        http://www.mozilla.org/projects/security/known-vulnerabilities.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200509-11.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.