Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200509-11 ] Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Advocate
Advocate


Joined: 12 May 2004
Posts: 2663

PostPosted: Sun Sep 18, 2005 8:00 pm    Post subject: [ GLSA 200509-11 ] Mozilla Suite, Mozilla Firefox: Multiple Reply with quote

Gentoo Linux Security Advisory

Title: Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities (GLSA 200509-11)
Severity: normal
Exploitable: remote
Date: September 18, 2005
Updated: September 29, 2005
Bug(s): #105396
ID: 200509-11

Synopsis


Mozilla Suite and Firefox are vulnerable to multiple issues, including some
that might be exploited to execute arbitrary code.


Background


The Mozilla Suite is a popular all-in-one web browser that includes a
mail and news reader. Mozilla Firefox is the next-generation browser
from the Mozilla project. Gecko is the layout engine used in both
products.


Affected Packages

Package: www-client/mozilla-firefox
Vulnerable: < 1.0.7-r2
Unaffected: >= 1.0.7-r2
Architectures: All supported architectures

Package: www-client/mozilla
Vulnerable: < 1.7.12-r2
Unaffected: >= 1.7.12-r2
Architectures: All supported architectures

Package: www-client/mozilla-firefox-bin
Vulnerable: < 1.0.7
Unaffected: >= 1.0.7
Architectures: All supported architectures

Package: www-client/mozilla-bin
Vulnerable: < 1.7.12
Unaffected: >= 1.7.12
Architectures: All supported architectures

Package: net-libs/gecko-sdk
Vulnerable: < 1.7.12
Unaffected: >= 1.7.12
Architectures: All supported architectures


Description


The Mozilla Suite and Firefox are both vulnerable to the following
issues:
  • Tom Ferris reported a heap overflow in IDN-enabled browsers with
    malicious Host: headers (CAN-2005-2871).
  • "jackerror" discovered a heap overrun in XBM image processing
    (CAN-2005-2701).
  • Mats Palmgren reported a potentially exploitable stack corruption
    using specific Unicode sequences (CAN-2005-2702).
  • Georgi Guninski discovered an integer overflow in the JavaScript
    engine (CAN-2005-2705)
  • Other issues ranging from DOM object spoofing to request header
    spoofing were also found and fixed in the latest versions
    (CAN-2005-2703, CAN-2005-2704, CAN-2005-2706, CAN-2005-2707).

The Gecko engine in itself is also affected by some of these issues and
has been updated as well.


Impact


A remote attacker could setup a malicious site and entice a victim to
visit it, potentially resulting in arbitrary code execution with the
victim's privileges or facilitated spoofing of known websites.


Workaround


There is no known workaround for all the issues.


Resolution


All Mozilla Firefox users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-1.0.7-r2"

All Mozilla Suite users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.12-r2"

All Mozilla Firefox binary users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-firefox-bin-1.0.7"

All Mozilla Suite binary users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.12"

All Gecko library users should upgrade to the latest version:
Code:
# emerge --sync
    # emerge --ask --oneshot --verbose ">=net-libs/gecko-sdk-1.7.12"


References

CAN-2005-2701
CAN-2005-2702
CAN-2005-2703
CAN-2005-2704
CAN-2005-2705
CAN-2005-2706
CAN-2005-2707
CAN-2005-2871
Mozilla Foundation Security Advisories


Last edited by GLSA on Wed Nov 12, 2014 4:20 am; edited 3 times in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum