Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(Gentoo Issues Fix) Thunderbird Various Overflows and Scripting Errors May Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1011369
|
|
SecurityTracker URL: http://securitytracker.com/id?1011369
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 21 2004
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 0.8
|
Description: Several vulnerabilities were reported in Mozilla, Thunderbird, and Firefox. In some of the vulnerabilities, a remote user may be able to execute arbitrary code on the target user's system.
The vendor and various researchers reported ten separate vulnerabilities in Mozilla, Thuderbird, and Firefox.
Georgi Guninski
reported a heap overflow vulnerability in 'nsMsgCompUtils.cpp' that may allow a remote user to cause arbitrary code to be executed
on the target user's computer [Known security vulnerability #93]. The "send page" function does not properly handle long HTTP URLs.
Arbitrary code may be executed if a target user attempts to send an e-mail (such as forwarding a message) that contains a specially
crafted link. The original bug report is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=258005
Wladimir Palant
reported that a remote user can create specially crafted javascript code that, when executed by the target user, will be able to
access the clipboard on the target user's system [Known security vulnerability #92]. The code can read from and write to the clipboard.
The flaw resides in 'nsXBLPrototypeHandler.cpp'.
A demonstration exploit of reading from the clipboard is available at:
http://bugzilla.mozilla.org/attachment.cgi?
id=157492&action=view
A demonstration of writing to the clipboard is available at:
http://bugzilla.mozilla.org/attachment.cgi?id=157493&action=view
The
original bug report is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=257523
Jesse Ruderman reported that a remote
user can create a signed script that can construct a specially crafted privilege request designed to confuse the target user into
granting elevated privileges to the code [Known security vulnerability #91]. The script can invoke enablePrivilege() and supply
a parameter containing spaces and English language words to alter the meaning of sentences in the dialog box.
A demonstration
exploit is available at:
http://bugzilla.mozilla.org/attachment.cgi?id=154932&action=view
A demonstration exploit screenshot
is available at:
http://bugzilla.mozilla.org/attachment.cgi?id=154933&action=view
The original bug report is available at:
http://bugzilla.mozilla.org/show_bug.c
gi?id=253942
Georgi Guninski reported that there is a buffer overflow in the processing of VCards [Known security vulnerability
#90]. A specially crafted VCard can trigger a stack overflow and execute arbitary code when the VCard is displayed. The flaw resides
in 'addrbook/src/nsVCardObj.cpp'.
A demonstration exploit VCard is available at:
http://bugzilla.mozilla.org/attachment.cgi?id=157317&action=view
The
original bug report is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=257314
Gael Delalleau reported an integer
overflow in the processing of BMP images [Known security vulnerability #89]. A remote user can create a specially crafted bitmap
image that, when loaded by the target user, will trigger the overflow and potentially execute arbitrary code with the privileges
of the target user. The original advisory is available at:
http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt
Jesse
Ruderman also reported a cross-domain scripting vulnerability [Known security vulnerability #88]. A remote user may be able to
create javascript links that, when dragged onto another frame or another page, will execute in the security context of the target
location. If the target user drags two links in sequence into a separate window, the code may be able to launch an arbitrary program
with the privileges of the target user.
The original bug report is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=250862
Mats
Palmgren and Gael Delalleau reported that a remote user can create a link containing non-ASCII characters in the hostname that,
when loaded by the target user, will trigger a heap buffer overflow [Known security vulnerability #87]. It may be possible to execute
arbitrary code with the privileges of the target user.
The original advisory is available at:
http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt
Ga
el Delalleau reported that a remote POP3 mail server can send a specially crafted POP3 response to a connected client to trigger
a buffer overflow and execute arbitrary code [Known security vulnerability #86].
The advisory is available at:
http://www.zencomsec.com/advisories/mozilla-1.7.2-POP
3.txt
The bug reports are available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=245066
http://bugzilla.mozilla.org/show_bug.cgi?id=226669
Daniel
Koukola and Andrew Schultz reported that, on Linux systems, the software may install with world-writeable and world-readable permissions
[Known security vulnerability #85]. A local user can modify the files.
The original bug reports are available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=23108
3
http://bugzilla.mozilla.org/show_bug.cgi?id=235781
Harald Milz reported that, on Linux systems, the software may install
with incorrect file owner and permission settings if the user ignores their umask setting or has an overly permissive umask setting
when expanding the installation archive [Known security vulnerability #84]. A local user may be able to modify the files. The
bug report is available at:
http://bugzilla.mozilla.org/show_bug.cgi?id=254303
|
Impact: A remote user can execute arbitrary code on the target user's system with the privileges of the target user.
A remote user can run scripting code in the context of an arbitrary domain.
|
Solution: Gentoo has released a fix and indicates that all users should upgrade to the latest stable version:
# emerge sync
# emerge -pv your-version
# emerge your-version
|
Vendor URL: www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 (Links to External Site)
|
Cause: Access control error, Boundary error
|
Underlying OS: Linux (Gentoo)
|
Reported By: Thierry Carrez <koon@gentoo.org>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Mon, 20 Sep 2004 22:52:25 +0200
From: Thierry Carrez <koon@gentoo.org>
Subject: [gentoo-announce] [ GLSA 200409-26 ] Mozilla, Firefox, Thunderbird, Epiphany: New releases
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200409-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mozilla, Firefox, Thunderbird, Epiphany: New releases fix
vulnerabilities
Date: September 20, 2004
Bugs: #63996
ID: 200409-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
New releases of Mozilla, Epiphany, Mozilla Thunderbird, and Mozilla
Firefox fix several vulnerabilities, including the remote execution of
arbitrary code.
Background
==========
Mozilla is a popular web browser that includes a mail and newsreader.
Epiphany is a web browser that uses Gecko, the Mozilla rendering
engine. Mozilla Firefox and Mozilla Thunderbird are respectively the
next-generation browser and mail client from the Mozilla project.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 mozilla < 1.7.3 >= 1.7.3
2 mozilla-firefox < 1.0_pre >= 1.0_pre
3 mozilla-thunderbird < 0.8 >= 0.8
4 mozilla-bin < 1.7.3 >= 1.7.3
5 mozilla-firefox-bin < 1.0_pre >= 1.0_pre
6 mozilla-thunderbird-bin < 0.8 >= 0.8
7 epiphany < 1.2.9-r1 >= 1.2.9-r1
-------------------------------------------------------------------
7 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Mozilla-based products are vulnerable to multiple security issues.
Firstly routines handling the display of BMP images and VCards contain
an integer overflow and a stack buffer overrun. Specific pages with
long links, when sent using the "Send Page" function, and links with
non-ASCII hostnames could both cause heap buffer overruns.
Several issues were found and fixed in JavaScript rights handling:
untrusted script code could read and write to the clipboard, signed
scripts could build confusing grant privileges dialog boxes, and when
dragged onto trusted frames or windows, JavaScript links could access
information and rights of the target frame or window. Finally,
Mozilla-based mail clients (Mozilla and Mozilla Thunderbird) are
vulnerable to a heap overflow caused by invalid POP3 mail server
responses.
Impact
======
An attacker might be able to run arbitrary code with the rights of the
user running the software by enticing the user to perform one of the
following actions: view a specially-crafted BMP image or VCard, use the
"Send Page" function on a malicious page, follow links with malicious
hostnames, drag multiple JavaScript links in a row to another window,
or connect to an untrusted POP3 mail server. An attacker could also use
a malicious page with JavaScript to disclose clipboard contents or
abuse previously-given privileges to request XPI installation
privileges through a confusing dialog.
Workaround
==========
There is no known workaround covering all vulnerabilities.
Resolution
==========
All users should upgrade to the latest stable version:
# emerge sync
# emerge -pv your-version
# emerge your-version
References
==========
[ 1 ] Mozilla Security Advisory
http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
[ 2 ] US-CERT Security Alert TA04-261A
http://www.us-cert.gov/cas/techalerts/TA04-261A.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200409-26.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/1.0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBT0MJvcL1obalX08RAo0VAKCJut9PsDZ+w7+rmTBe4QBSsMwLDACfZ0fN
sdTphivV2rgS3nbS4wC416Y=
=O5VM
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
