From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([69.77.167.62] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1JyZF1-0000Wf-0P for garchives@archives.gentoo.org; Tue, 20 May 2008 21:19:27 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 11FCCE032F; Tue, 20 May 2008 21:19:26 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 93D37E032F for ; Tue, 20 May 2008 21:19:25 +0000 (UTC) Received: from stork.gentoo.org (stork.gentoo.org [64.127.104.133]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 207D8670CF for ; Tue, 20 May 2008 21:19:25 +0000 (UTC) Received: from rbu by stork.gentoo.org with local (Exim 4.68) (envelope-from ) id 1JyZEv-0005y2-IN for gentoo-commits@lists.gentoo.org; Tue, 20 May 2008 21:19:21 +0000 From: "Robert Buchholz (rbu)" To: gentoo-commits@lists.gentoo.org Reply-To: gentoo-dev@lists.gentoo.org, rbu@gentoo.org Subject: [gentoo-commits] gentoo commit in xml/htdocs/security/en/glsa: glsa-200805-18.xml X-VCS-Repository: gentoo X-VCS-Files: glsa-200805-18.xml X-VCS-Directories: xml/htdocs/security/en/glsa X-VCS-Committer: rbu X-VCS-Committer-Name: Robert Buchholz Content-Type: text/plain; charset=utf8 Message-Id: Sender: Robert Buchholz Date: Tue, 20 May 2008 21:19:21 +0000 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: 8405b8b0-416f-4004-9395-5f99b5a80f65 X-Archives-Hash: 7a55fd026c20d4717f4c86f7bfaf018d rbu 08/05/20 21:19:21 Added: glsa-200805-18.xml Log: GLSA 200805-18 Revision Changes Path 1.1 xml/htdocs/security/en/glsa/glsa-200805-18.xml file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en= /glsa/glsa-200805-18.xml?rev=3D1.1&view=3Dmarkup plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/security/en= /glsa/glsa-200805-18.xml?rev=3D1.1&content-type=3Dtext/plain Index: glsa-200805-18.xml =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Mozilla products: Multiple vulnerabilities Multiple vulnerabilities have been reported in Mozilla Firefox, Thunderbird, SeaMonkey and XULRunner, some of which may allow user-as= sisted execution of arbitrary code. mozilla-firefox mozilla-firefox-bin seamonkey = seamonkey-bin mozilla-thunderbird mozilla-thunderbird-bin xulrunner May 20, 2008 May 20, 2008: 01 208128 214816 218065 remote 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 2.0.0.14 1.1.9-r1 1.1.9-r1 1.1.9 1.1.9 1.8.1.14 1.8.1.14

Mozilla Firefox is an open-source web browser and Mozilla Thunderbird an open-source email client, both from the Mozilla Project. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the 'Mozilla Application Suite'. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications like Firefox and Thunderbird.

The following vulnerabilities were reported in all mentioned Mozilla products:

  • Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and Paul Nickerson reported browser crashes related to JavaScript methods, possibly triggering memory corruption (CVE-2008-0412).
  • Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown, Philip Taylor, and tgirmann reported crashes in the JavaScript engine= , possibly triggering memory corruption (CVE-2008-0413).
  • David Bloom discovered a vulnerability in the way images are treated = by the browser when a user leaves a page, possibly triggering memory corruption (CVE-2008-0419).
  • moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series of privilege escalation vulnerabilities related to JavaScript (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235).
  • Mozilla developers identified browser crashes caused by the layout an= d JavaScript engines, possibly triggering memory corruption (CVE-2008-1236, CVE-2008-1237).
  • moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape fro= m its sandboxed context and run with chrome privileges, and inject scri= pt content into another site, violating the browser's same origin policy (CVE-2008-0415).
  • Gerry Eisenhaur discovered a directory traversal vulnerability when using "flat" addons (CVE-2008-0418).
  • Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported multiple character handling flaws related to the backspace character, the "0x80" character, involving zero-length non-ASCII sequences in multiple character sets, that could facilitate Cross-Site Scripting attacks (CVE-2008-0416).

The following vulnerability was reported in Thunderbird and SeaMonkey= :

  • regenrecht (via iDefense) reported a heap-based buffer overflow when rendering an email message with an external MIME body (CVE-2008-0304)= .

The following vulnerabilities were reported in Firefox, SeaMonkey and XULRunner:

  • The fix for CVE-2008-1237 in Firefox 2.0.0.13 and SeaMonkey 1.1.9 introduced a new crash vulnerability (CVE-2008-1380).
  • hong and Gregory Fleischer each reported a variant on earlier reported bugs regarding focus shifting in file inp= ut controls (CVE-2008-0414).
  • Gynvael Coldwind (Vexillium) discovered that BMP images could be used to reveal uninitialized memory, and that this data could be extracted using a "canvas" feature (CVE-2008-0420).
  • Chris Thomas reported that background tabs could create a borderless XUL pop-up in front of pages in other tabs (CVE-2008-1241).
  • oo.rio.oo discovered that a plain text file with a "Content-Disposition: attachment" prevents Firefox from rendering future plain text files within the browser (CVE-2008-0592).
  • Martin Straka reported that the ".href" property of stylesheet DOM nodes is modified to the final URI of a 302 redirect, bypassing the same origin policy (CVE-2008-0593).
  • Gregory Fleischer discovered that under certain circumstances, leadin= g characters from the hostname part of the "Referer:" HTTP header are removed (CVE-2008-1238).
  • Peter Brodersen and Alexander Klink reported that the browser automatically selected and sent a client certificate when SSL Client Authentication is requested by a server (CVE-2007-4879).
  • Gregory Fleischer reported that web content fetched via the "jar:" protocol was not subject to network access restrictions (CVE-2008-1240).

The following vulnerabilities were reported in Firefox:

  • Justin Dolske discovered a CRLF injection vulnerability when storing passwords (CVE-2008-0417).
  • Michal Zalewski discovered that Firefox does not properly manage a delay timer used in confirmation dialogs (CVE-2008-0591).
  • Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery warning dialog is not displayed if the entire contents of a web page are in a DIV tag that uses absolute positioning (CVE-2008-0594).

A remote attacker could entice a user to view a specially crafted web page or email that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code or a Denial of Service. It is also possible for an attacker to trick a user to upload arbitrary files when submitting a form, to corrupt saved passwords for other sites, to steal login credentials, or to conduct Cross-Site Scripting and Cross-Site Request Forgery attacks.

There is no known workaround at this time.

All Mozilla Firefox users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dwww-client/mozilla-fi= refox-2.0.0.14"

All Mozilla Firefox binary users should upgrade to the latest version= :

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dwww-client/mozilla-fi= refox-bin-2.0.0.14"

All Mozilla Thunderbird users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dmail-client/mozilla-t= hunderbird-2.0.0.14"

All Mozilla Thunderbird binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dmail-client/mozilla-t= hunderbird-bin-2.0.0.14"

All SeaMonkey users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dwww-client/seamonkey-= 1.1.9-r1"

All SeaMonkey binary users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dwww-client/seamonkey-= bin-1.1.9"

All XULRunner users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=3Dnet-libs/xulrunner-1.= 8.1.14"

NOTE: The crash vulnerability (CVE-2008-1380) is currently unfixed in the SeaMonkey binary ebuild, as no precompiled packages have been released. Until an update is available, we recommend all SeaMonkey users to disable JavaScript, use Firefox for JavaScript-enabled browsing, or switch to the SeaMonkey source ebuild.

CVE-2007-4879 CVE-2008-0304 CVE-2008-0412 CVE-2008-0413 CVE-2008-0414 CVE-2008-0415 CVE-2008-0416 CVE-2008-0417 CVE-2008-0418 CVE-2008-0419 CVE-2008-0420 CVE-2008-0591 CVE-2008-0592 CVE-2008-0593 CVE-2008-0594 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241 CVE-2008-1380 rbu