Bug 160202
| Summary: | Mozilla Browsers Frame Injection Vulnerability | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | John Dalbec <jpdalbec> |
| Component: | mozilla | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rhl7.3 | CC: | deisenst, pekkas |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/15601/ | ||
| Whiteboard: | LEGACY, 1, 2, rh73, rh9 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-09-15 02:02:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
John Dalbec
2005-06-13 12:24:29 UTC
The current http://www.mozilla.org/projects/security/known-vulnerabilities.html actually lists nine new vulnerabilities from MFSA 2005-45 to MFSA 2005-56 (2005-47, 2005-49 and 2005-53 are not used) with the last one, "Code execution through shared function objects", marked as critical and three other high. The original one from this reports is listed there as MFSA 2005-51, "The return of frame-injection spoofing" indeed classified as moderate. Dropping mozilla-1.7.10 in the old spec file works fine, at least on RH7.3, with this catch that '%dir %{mozdir}/res/builtin' is now gone. (8) HIGH: Mozilla/Firefox Multiple Remote Code Execution Vulnerabilities Affected: Firefox prior to version 1.0.5 Mozilla prior to version 1.7.9 Thunderbird prior to version 1.0.2 Description: Mozilla/Firefox browsers and Thunderbird email client contain multiple vulnerabilities that can be exploited to execute arbitrary code or arbitrary scripts on the client systems. Complete technical details and exploit code have been publicly posted. Status: Upgrade to Firefox 1.0.5 and Mozilla 1.7.9. Thunderbird fix is not available at this time. Council Site Actions: Only four of the reporting council sites are responding to this item. Two of the sites already have the latest builds available for their users to download. The two other sites don't officially support Firefox and Mozilla but have notified their users and believe the users will get the updated versions manually. References: Mozilla Advisories http://www.mozilla.org/security/announce/mfsa2005-46.html http://www.mozilla.org/security/announce/mfsa2005-48.html http://www.mozilla.org/security/announce/mfsa2005-50.html http://www.mozilla.org/security/announce/mfsa2005-55.html http://www.mozilla.org/security/announce/mfsa2005-56.html Exploit Code http://www.frsirt.com/exploits/20050712.mfsa2005-49exploit.php http://www.frsirt.com/exploits/20050712.mfsa2005-47exploit.php http://www.frsirt.com/exploits/20050712.mfsa2005-55exploit.php SecurityFocus BID http://www.securityfocus.com/bid/14242 05.28.18 CVE: Not Available Platform: Cross Platform Title: Mozilla Suite, Firefox and Thunderbird Multiple Vulnerabilities Description: The Mozilla Foundation has released 12 security advisories specifying security vulnerabilities in Mozilla Suite, Firefox, and Thunderbird. Please refer to the advisory for further details. These vulnerabilities have been addressed in Firefox version 1.0.5 and Mozilla Suite 1.7.9. Mozilla Thunderbird has not been fixed at this time. Ref: http://www.securityfocus.com/bid/14242/references Well, as RHEL has already moved to 1.7.10, if someone can create the packages, I can do the PUBLISH.. I'll make some tonight. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated mozilla, galeon, devhelp and epiphany packages to QA: 7.3: a3adef61082a23b82f86b265ccc200fc1dcbfce2 7.3/mozilla-1.7.10-0.73.1.legacy.src.rpm e1a26a16215b17aa5c43f9460d411e518060707a 7.3/galeon-1.2.14-0.73.4.legacy.src.rpm 9: 4a211079a8efc3c73cc398ec7fce7c6a4af575fa 9/mozilla-1.7.10-0.90.1.legacy.src.rpm f53930b34862242a19d2c20e728683ae6576f450 9/galeon-1.2.14-0.90.4.legacy.src.rpm fc1: a49ad80fbfc5e590d4b17ce1eeef92a6ea2af097 1/mozilla-1.7.10-1.1.1.legacy.src.rpm 8b23c3397084f7b19e99288bc99b96350e749130 1/epiphany-1.0.8-1.fc1.4.legacy.src.rpm fc2: d5797aaa95f73b2170ac1856abd74b5ca180a3d9 2/mozilla-1.7.10-1.2.1.legacy.src.rpm 34c9b870a56753f3a1b02251d19bc8945c6aedbc 2/devhelp-0.9.1-0.2.8.legacy.src.rpm 7eb8ac04425cc2220dd6448528b24dfc067d9a5e 2/epiphany-1.2.10-0.2.5.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.10-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.10-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.10-1.1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.4.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.10-1.2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.8.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.5.legacy.src.rpm Binaries are also available at the same location. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFC69wVLMAs/0C4zNoRAiFiAJ9iMaJSuFbvhlA2fvqE2x0nxe0wOwCeKj+U Gvak4JfiQQO0RHg/8AUeVKA= =nER3 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity ok - spec file changes are relatively small, taken in a straightforward manner from RHEL updates - patches are OK. The comarray patch in FC2 is from Fedora CVS. +PUBLISH RHL73, RHL9, FC1, FC2 a3adef61082a23b82f86b265ccc200fc1dcbfce2 mozilla-1.7.10-0.73.1.legacy.src.rpm 4a211079a8efc3c73cc398ec7fce7c6a4af575fa mozilla-1.7.10-0.90.1.legacy.src.rpm a49ad80fbfc5e590d4b17ce1eeef92a6ea2af097 mozilla-1.7.10-1.1.1.legacy.src.rpm d5797aaa95f73b2170ac1856abd74b5ca180a3d9 mozilla-1.7.10-1.2.1.legacy.src.rpm 8b23c3397084f7b19e99288bc99b96350e749130 epiphany-1.0.8-1.fc1.4.legacy.src.rpm 7eb8ac04425cc2220dd6448528b24dfc067d9a5e epiphany-1.2.10-0.2.5.legacy.src.rpm 34c9b870a56753f3a1b02251d19bc8945c6aedbc devhelp-0.9.1-0.2.8.legacy.src.rpm e1a26a16215b17aa5c43f9460d411e518060707a galeon-1.2.14-0.73.4.legacy.src.rpm f53930b34862242a19d2c20e728683ae6576f450 galeon-1.2.14-0.90.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD4DBQFC7FrWGHbTkzxSL7QRAgHsAKCilNc+5p0nqyqyRhIFnFptIzlo7ACXfNlu gIU/h8hNUL3L1hq6GtlCFQ== =KufG -----END PGP SIGNATURE----- Mozilla Works fine for me on FC1. +PUBLISH FC1 Epiphany comes up with this error message: GnomeUI-WARNING **: while connecting with session manager: Authentication Rejected, reason: None of the authentication protocols specified are supported amd host-based authentication failed. Gilbert Gilbert, Log out, and log back in again. That should take care of epiphany. (In reply to comment #8) > Gilbert, > Log out, and log back in again. That should take care of epiphany. Got it! Thanks. +PUBLISH FC1 on ephiphany. Packages were built for updates-testing. For the record: 1.7.10 broke Mailnews, 1.7.11 was released to fix it. See http://www.mozilla.org/releases/mozilla1.7.11/changelog.html On the other hand, broken MUA is better than 0wned browser. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't personally have a problem with slightly broken mail/news, but some others might. I'm willing to give a publish if someone creates the packages. That said, I don't want to delay the publication of these packages, so.. I've tested both RHL73 and RHL9 versions. Signatures were OK, upgrade went OK. Web browsing seems to work OK. Also a java applet in RHL9 worked fine. +VERIFY RHL73, RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFDBYIbGHbTkzxSL7QRAqKhAKDUnMyD9ZUVGR3WNSdpkO97lKpVrACgtowm VPWzd3kp74/b1/Wxgkiol2k= =EUa1 -----END PGP SIGNATURE----- We can't release 1.7.11 mozilla packages until FC3 and FC4 upgrade or else we'll break the upgrade path. Let's stick to 1.7.10 for now. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
QA testing for FC1's version of Mozilla 1.7.10 (including epiphany
version 1.0.8), currently in updates-testing.
024af661649ccdd80f61cdbcd67405146ddd290e
mozilla-1.7.10-1.1.1.legacy.i386.rpm
c714508dfbf5194b518ab8c36ef15e35b5f9f34d
mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm
9f87a7c1b15b1eacf77d785ba02a6e5272786483
mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm
40d6a447c6fa50971449a12ed04d2139e7f38c86
mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm
7d7993584caf000376d414adfea09ef03b5dcfcc
mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm
ddb668ea5ef6354bcea561d396f322b812986d3c
mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm
ba21eee7662528448aeab774f9f1eedcd27bef6e
mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm
6fc9017c5f1712648f83f74dfc289097244bf2fb
mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm
b16af5524e6b5ae6d00b978aa7ae7e382045e42a
mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm
fe6babcc981d3d8d00405bc668a163c762325556
mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm
8e927ac2f8ef17d3d33a5f244944c8e23bd349a5
epiphany-1.0.8-1.fc1.4.legacy.i386.rpm
- SHA1 sums all match.
- All packages properly signed by the Fedora Legacy pgp key.
- Initial install of five core packages went well.
- Mozilla browser works well -- from a day or so of using with a
variety of webpages (http:, https:, pages with javascript, pages
using Java)
- Subsequent install of remaining packages (except for -devel) went
well.
- Epiphany works.
- ChatZilla IRC client works. Works better when you don't make
typos.
- Venkman, the JavaScript debugger, seems to work okay. Was able
to set a breakpoint and trace execution.
- DOM Inspector - seems to inspect Document Objects well, including
the document object that is the browser itself!
- Installed -devel without incident. Didn't use it.
I use Mozilla Mail a lot. Mozilla Mail seems to work well (and a lot
faster than my previous Mozilla install!), EXCEPT: When I set the "Do
not load remote images in Mail & Newsgroup Messages" in the Preferences, I
encountered the newly-introduced bug -- where when you switch folders with
a message selected in the first folder, the message list is not refreshed
with the content listing of the 2nd folder:
(<https://bugzilla.mozilla.org/show_bug.cgi?id=300749>)
I have not been able to get Mozilla Mail to evidence the other bug:
(<https://bugzilla.mozilla.org/show_bug.cgi?id=301917>).
Other people's mileage may vary on the Mozilla Mail bugs that are fixed
upstream. This bug is not a major blocker, in my opinion, although I
would like to see it fixed.
I vote: VERIFY+ FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFDFDkIxou1V/j9XZwRAtpZAJ9ngu07Wg9vHe73jng/2yX5MuLNeQCg0mXO
cr2aeKP5cNdwQh4XnekZ7ic=
=cmTG
-----END PGP SIGNATURE-----
In reference to the Mozilla-mail regression bugs in 1.7.10, I have re- trieved the patches that fix them from Mozilla's CVS and am going to work up a new SPEC file to incorporate them. Those patches are pretty small, and deal with one C source file and its header file. I was thinking about cloning this bug and posting the spec-file and patches in the cloned bug, so we can issue packages that fix the Mozilla- Mail bugs... Would it be appropriate to do so? Or should I post them here in this bug? Or not do it at all? I don't think we should respin the packages for this. If I read the text correctly, this should be fixed in the next mozilla releases -- after we're done publishing this one, we can start with new ones.. Timeout over.. A new vulnerability, deemed "critical", showed up identified as CAN-2005-2871. See, for example, https://rhn.redhat.com/errata/RHSA-2005-769.html. One more additional patch, named firefox-307259-branch.patch in mozilla-1.7.10-1.1.3.2.src.rpm, is needed to close that hole. The same patch is also used in mozilla-1.7.10-1.3.2.src.rpm from FC3 updates and mozilla recompiles after adding it without any issues (at least on an RH7.3 installation). Resulting binaries work or you are not reading that. :-) Hmm.. not sure if we can add it at that point (this update is pending release in any case). Maybe someone would need to create new packages (e.g., based on 1.7.11) which incorporate that patch under a new PR number? Packages were released to updates. |