Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200409-26 ] Mozilla, Firefox, Thunderbird, Epiphany: New releases fix vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Mon Sep 20, 2004 9:23 pm    Post subject: [ GLSA 200409-26 ] Mozilla, Firefox, Thunderbird, Epiphany: Reply with quote

Gentoo Linux Security Advisory

Title: Mozilla, Firefox, Thunderbird, Epiphany: New releases fix vulnerabilities (GLSA 200409-26)
Severity: normal
Exploitable: remote
Date: September 20, 2004
Updated: December 30, 2007
Bug(s): #63996
ID: 200409-26

Synopsis

New releases of Mozilla, Epiphany, Mozilla Thunderbird, and Mozilla Firefox fix several vulnerabilities, including the remote execution of arbitrary code.

Background

Mozilla is a popular web browser that includes a mail and newsreader. Epiphany is a web browser that uses Gecko, the Mozilla rendering engine. Mozilla Firefox and Mozilla Thunderbird are respectively the next-generation browser and mail client from the Mozilla project.

Affected Packages

Package: www-client/mozilla
Vulnerable: < 1.7.3
Unaffected: >= 1.7.3
Architectures: All supported architectures

Package: www-client/mozilla-firefox
Vulnerable: < 1.0_pre
Unaffected: >= 1.0_pre
Architectures: All supported architectures

Package: mail-client/mozilla-thunderbird
Vulnerable: < 0.8
Unaffected: >= 0.8
Architectures: All supported architectures

Package: www-client/mozilla-bin
Vulnerable: < 1.7.3
Unaffected: >= 1.7.3
Architectures: All supported architectures

Package: www-client/mozilla-firefox-bin
Vulnerable: < 1.0_pre
Unaffected: >= 1.0_pre
Architectures: All supported architectures

Package: mail-client/mozilla-thunderbird-bin
Vulnerable: < 0.8
Unaffected: >= 0.8
Architectures: All supported architectures

Package: www-client/epiphany
Vulnerable: < 1.2.9-r1
Unaffected: >= 1.2.9-r1
Architectures: All supported architectures


Description

Mozilla-based products are vulnerable to multiple security issues. Firstly routines handling the display of BMP images and VCards contain an integer overflow and a stack buffer overrun. Specific pages with long links, when sent using the "Send Page" function, and links with non-ASCII hostnames could both cause heap buffer overruns. Several issues were found and fixed in JavaScript rights handling: untrusted script code could read and write to the clipboard, signed scripts could build confusing grant privileges dialog boxes, and when dragged onto trusted frames or windows, JavaScript links could access information and rights of the target frame or window. Finally, Mozilla-based mail clients (Mozilla and Mozilla Thunderbird) are vulnerable to a heap overflow caused by invalid POP3 mail server responses.

Impact

An attacker might be able to run arbitrary code with the rights of the user running the software by enticing the user to perform one of the following actions: view a specially-crafted BMP image or VCard, use the "Send Page" function on a malicious page, follow links with malicious hostnames, drag multiple JavaScript links in a row to another window, or connect to an untrusted POP3 mail server. An attacker could also use a malicious page with JavaScript to disclose clipboard contents or abuse previously-given privileges to request XPI installation privileges through a confusing dialog.

Workaround

There is no known workaround covering all vulnerabilities.

Resolution

All users should upgrade to the latest stable version:
Code:
# emerge sync
# emerge -pv your-version
# emerge your-version


References

Mozilla Security Advisory
US-CERT Security Alert TA04-261A
CVE-2004-0902
CVE-2004-0903
CVE-2004-0904
CVE-2004-0905
CVE-2004-0906
CVE-2004-0907
CVE-2004-0908
CVE-2004-0909


Last edited by GLSA on Mon Dec 31, 2007 4:16 am; edited 5 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum