Bug 163069
| Summary: | CAN-2005-1937 multiple firefox security issues (CAN-2005-2260 CAN-2005-2261 CAN-2005-2262 CAN-2005-2263 CAN-2005-2264 CAN-2005-2265 CAN-2005-2266 CAN-2005-2267 CAN-2005-2268 CAN-2005-2269 CAN-2005-2270) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Josh Bressers <bressers> |
| Component: | firefox | Assignee: | Christopher Aillon <caillon> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | security-response-team |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=important,source=mozilla,public=20050712 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-07-21 10:23:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
MFSA 2005-45 CAN-2005-2260 MFSA 2005-46 CAN-2005-2261 MFSA 2005-47 CAN-2005-2262 MFSA 2005-48 CAN-2005-2263 MFSA 2005-49 CAN-2005-2264 MFSA 2005-50 CAN-2005-2265 MFSA 2005-51 CAN-2005-1937 MFSA 2005-52 CAN-2005-2266 MFSA 2005-53 CAN-2005-2267 MFSA 2005-54 CAN-2005-2268 MFSA 2005-55 CAN-2005-2269 MFSA 2005-56 CAN-2005-2270 Lifting embargo, this is all public now. Fixed RHSA-2005:586 |
MFSA 2005-45 Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 In several places the browser UI did not correctly distinguish between true user events, such as mouse clicks or keystrokes, and synthetic events genenerated by web content. The problems ranged from minor annoyances like switching tabs or entering full-screen mode, to a variant on MFSA 2005-34 https://bugzilla.mozilla.org/show_bug.cgi?id=289940 MFSA 2005-46 Firefox 1.0.5 Thunderbird 1.0.5 Mozilla Suite 1.7.9 impact=low,source=mozilla,public=20050712 Scripts in XBL controls from web content continued to be run even when Javascript was disabled. By itself this causes no harm, but it could be combined with most script-based exploits to attack people running vulnerable versions who thought disabling javascript would protect them. https://bugzilla.mozilla.org/show_bug.cgi?id=292591 https://bugzilla.mozilla.org/show_bug.cgi?id=292589 MFSA 2005-47 Firefox 1.0.5 impact=moderate,source=mozilla,public=20050712 If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a specially crafted image then they can run arbitary code on the user's computer. The image "source" must be a javascript: url containing an eval() statement and such an image would get the "broken image" icon, but with CSS it could be made transparent and placed on top of a real image. http://www.mikx.de/firewalling/ https://bugzilla.mozilla.org/show_bug.cgi?id=292737 MFSA 2005-48 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 The InstallTrigger.install() method for launching an install accepts a callback function that will be called with the final success or error status. By forcing a page navigation immediately after calling the install method this callback function can end up running in the context of the new page selected by the attacker. This is true even if the user cancels the unwanted install dialog: cancel is an error status. This callback script can steal data from the new page such as cookies or passwords, or perform actions on the user's behalf such as make a purchase if the user is already logged into the target site. https://bugzilla.mozilla.org/show_bug.cgi?id=293331 MFSA 2005-49 Firefox 1.0.5 impact=important,source=mozilla,public=20050712 Sites can use the _search target to open links in the Firefox sidebar. A missing security check allows the sidebar to inject data: urls containing scripts into any page open in the browser. This could be used to steal cookies, passwords or other sensitive data. https://bugzilla.mozilla.org/show_bug.cgi?id=294074 MFSA 2005-50 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 When InstallVersion.compareTo() is passed an object rather than a string it assumed the object was another InstallVersion without verifying it. When passed a different kind of object the browser would generally crash with an access violation. MFSA 2005-51 Firefox 1.0.5 Mozilla Suite 1.7.9 CAN-2005-1937 impact=important,source=mozilla,public=20050606 The original frame-injection spoofing bug was fixed in the Mozilla Suite 1.7 and Firefox 0.9 releases. This protection was accidentally disabled by one of the fixes in the Firefox 1.0.3 and Mozilla Suite 1.7.7 releases. http://secunia.com/advisories/15601/ https://bugzilla.mozilla.org/show_bug.cgi?id=296850 MFSA 2005-52 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 A child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent comes from the same site. By framing this page the attacker could steal cookies and passwords, or take actions on the site on behalf of a signed-in user. http://secunia.com/advisories/15549/ https://bugzilla.mozilla.org/show_bug.cgi?id=296830 MFSA 2005-53 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 Several media players, for example Flash and QuickTime, support scripted content with the ability to open URLs in the default browser. The default behavior for Firefox and the Mozilla Suite was to replace the currently open browser window's content with the externally opened content. If the external URL was a javascript: url it would run as if it came from the site that served the previous content, which could be used to steal sensitive information such as login cookies or passwords. If the media player content first caused a privileged chrome: url to load then the subsequent javascript: url could execute arbitrary code. https://bugzilla.mozilla.org/show_bug.cgi?id=298255 MFSA 2005-54 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=low,source=mozilla,public=20050607 Alerts and prompts created by scripts in web pages are presented with the generic title [JavaScript Application] which sometimes makes it difficult to know which site created them. A malicious page could attempt to cause a prompt to appear in front of a trusted site in an attempt to extract information such as passwords from the user. https://secunia.com/advisories/15489/ https://bugzilla.mozilla.org/show_bug.cgi?id=298934 MFSA 2005-55 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=moderate,source=mozilla,public=20050712 Parts of the browser UI relied too much on DOM node names without taking different namespaces into account and verifying that the node was really of the expected type. An XHTML document could be used, for example, to create fake <IMG> elements with content-defined properties that will be accessed as if they were the trusted built-in properties of the expected HTML elements. https://bugzilla.mozilla.org/show_bug.cgi?id=298892 MFSA 2005-56 Firefox 1.0.5 Mozilla Suite 1.7.9 impact=important,source=mozilla,public=20050712 Improper cloning of base objects allowed web content scripts to get to a privileged object by walking up the prototype chain. This could be used to execute code with enhanced privileges. https://bugzilla.mozilla.org/show_bug.cgi?id=294795 https://bugzilla.mozilla.org/show_bug.cgi?id=294799 https://bugzilla.mozilla.org/show_bug.cgi?id=295011 https://bugzilla.mozilla.org/show_bug.cgi?id=296397