Bug 180036

Summary: CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 critical mozilla vulnerabilities
Product: [Retired] Fedora Legacy Reporter: Pekka Savola <pekkas>
Component: mozillaAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, deisenst, donjr
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://rhn.redhat.com/errata/RHSA-2006-0199.html
Whiteboard: 1, 2, 3, rh73, rh90, impact=critical
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-24 00:04:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pekka Savola 2006-02-04 22:30:18 UTC 
A new set of Mozilla vulnerabilities, two of which are critical.

From https://rhn.redhat.com/errata/RHSA-2006-0140.html,

"Igor Bukanov discovered a bug in the way Mozilla's Javascript interpreter
dereferences objects. If a user visits a malicious web page, Mozilla could
crash or execute arbitrary code as the user running Mozilla. The Common
Vulnerabilities and Exposures project assigned the name CVE-2006-0292 to
this issue.

moz_bug_r_a4 discovered a bug in Mozilla's XULDocument.persist() function.
A malicious web page could inject arbitrary RDF data into a user's
localstore.rdf file, which can cause Mozilla to execute arbitrary
javascript when a user runs Mozilla. (CVE-2006-0296)

A denial of service bug was found in the way Mozilla saves history
information. If a user visits a web page with a very long title, it is
possible Mozilla will crash or take a very long time the next time it is
run. (CVE-2005-4134)

Note that the Red Hat Enterprise Linux 3 packages also fix a bug when
using XSLT to transform documents. Passing DOM Nodes as parameters to
functions expecting an xsl:param could cause Mozilla to throw an exception.
"

If someone proposes the packages, I can do publish QA.
Comment 1 Michal Jaegermann 2006-02-06 01:38:25 UTC 
Note: the same bugs affect firefox as well.  Should be a separate entry
for that package where distributions provide it?

Another note: firefox-1.0.7-1.2.fc4 binaries from FC4 updates happen to work
for FC3.  This is not the case for mozilla which needs to be recompiled.
In this particular case mozilla-1.7.12-1.5.2.src.rpm does not require any changes
at all with FC3 save a release identifier string.
Comment 2 Marc Deslauriers 2006-02-06 04:29:00 UTC 
Nah, we'll include firefox here in the same bug.

I am currently building packages for this bug for QA.
Comment 3 Marc Deslauriers 2006-02-08 01:00:51 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated mozilla and firefox packages to QA for rh73, rh9, fc1, fc2 and fc3:

Changelog:
* Sun Feb 05 2006 Marc Deslauriers <marcdeslauriers>
37:1.7.12-0.73.3.legacy
- - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296


7ede8588c1814482079e292f847f74d738496ab7  7.3/mozilla-1.7.12-0.73.3.legacy.src.rpm
94250dcf36503bf9111e54b12099b1b1a6b0e56b  9/mozilla-1.7.12-0.90.2.legacy.src.rpm
85015f00283873a28caefec6a341534f0bb08b82  1/mozilla-1.7.12-1.1.2.legacy.src.rpm
97645d24058b496f2a98141ed64336a409b1af31  2/mozilla-1.7.12-1.2.2.legacy.src.rpm
c213be4b31244efafb79de82b223affe99d89090  3/mozilla-1.7.12-1.3.2.legacy.src.rpm
7465aba4ba97dcfd9f9ca36c6682ad12862fafd2  3/firefox-1.0.7-1.2.fc3.legacy.src.rpm

7.3:
http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.12-0.73.3.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/

9:
http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.12-0.90.2.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/

fc1:
http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.12-1.1.2.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/1/

fc2:
http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.12-1.2.2.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/2/

fc3:
http://www.infostrategique.com/linuxrpms/legacy/3/mozilla-1.7.12-1.3.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/firefox-1.0.7-1.2.fc3.legacy.src.rpm
Binaries: http://www.infostrategique.com/linuxrpms/legacy/3/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD6URjLMAs/0C4zNoRAsfPAKCZYzzUtOAcEqT7J73AdBZwwUO+BQCgs64t
7YGTrM8feocnRXuBj1oBgro=
=bwd3
-----END PGP SIGNATURE-----
Comment 4 David Eisenstein 2006-02-08 03:05:58 UTC 
There is another bug, CVE-2006-0295, "Mozilla QueryInterface Memory Corruption
Vulnerability".  Does this affect us?

From Mozilla Foundation Security Advisory 2006-04 
(<http://www.mozilla.org/security/announce/mfsa2006-04.html>):

   "Calling the QueryInterface method of the built-in Location and Navigator
objects causes memory corruption that might be exploitable to run arbitrary code. 
   "This flaw appears to have been introduced during development of Firefox
1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older Mozilla Suite 1.7 do not appear
to be vulnerable.
   "Note: Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail.
This is not the default setting and we strongly discourage users from turning on
JavaScript in mail. Thunderbird is not vulnerable in its default configuration. 

"Update (7 February 2006)
-------------------------
   "H D Moore of the Metasploit Project published a working exploit for the
Linux version of Firefox 1.5 on milw0rm. Severity upgraded to critical."

"Workaround
-----------
   "Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or
SeaMonkey mail.

"References
-----------
    https://bugzilla.mozilla.org/show_bug.cgi?id=319296
    CVE-2006-0295
    http://www.milw0rm.com/id.php?id=1474"
Comment 5 David Eisenstein 2006-02-08 03:26:44 UTC 
Well, if I actually read what I just posted, "This flaw appears to have been
introduced during development of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and
the older Mozilla Suite 1.7 do not appear to be vulnerable." ...

then we would not be vulnerable to this in any products we maintain, right?
Comment 6 Pekka Savola 2006-02-08 15:52:31 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to be identical to upstream

+PUBLISH RHL73, RHL9, FC1, FC2, FC3

7ede8588c1814482079e292f847f74d738496ab7  mozilla-1.7.12-0.73.3.legacy.src.rpm
94250dcf36503bf9111e54b12099b1b1a6b0e56b  mozilla-1.7.12-0.90.2.legacy.src.rpm
85015f00283873a28caefec6a341534f0bb08b82  mozilla-1.7.12-1.1.2.legacy.src.rpm
97645d24058b496f2a98141ed64336a409b1af31  mozilla-1.7.12-1.2.2.legacy.src.rpm
c213be4b31244efafb79de82b223affe99d89090  mozilla-1.7.12-1.3.2.legacy.src.rpm
7465aba4ba97dcfd9f9ca36c6682ad12862fafd2  firefox-1.0.7-1.2.fc3.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFD6hTGGHbTkzxSL7QRAtCPAKDBEsTmuFDjQxYmtq0uqWQDwH+CPwCfc2Ix
dL3gsMNl51Bp9l7qdswv/x4=
=Rddr
-----END PGP SIGNATURE-----
Comment 7 Marc Deslauriers 2006-02-11 17:49:02 UTC 
Packages were pushed to updates-testing
Comment 8 Pekka Savola 2006-02-14 06:28:37 UTC 
New policy: automatic accept after two weeks if no negative feedback.
Comment 9 Pekka Savola 2006-02-16 04:59:30 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9: upgrades fine, GPG signatures fine, basic web browsing seems to
work fine (tested https, java, javascript).
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD9AfFGHbTkzxSL7QRAo0vAJ9tJ/1ifMl0HzObLr5RhiFxl/2sIwCgjMhF
y2XYoIP9p2A6Zzqf2KUeNeI=
=fnRK
-----END PGP SIGNATURE-----
Comment 10 David Eisenstein 2006-02-19 06:39:44 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 QA testing for FC1's version of Mozilla 1.7.12, currently in updates-
testing.

ccc9f1f2f0a31d46cc69af0a7b3fc8279347c855__mozilla-1.7.12-1.1.2.legacy.i386.rpm
d6a2a1f6974ab09ec1d02af7592e782c27f578e6__mozilla-mail-1.7.12-1.1.2.legacy.i386.rpm
67cb0d096878aed78036e5ea0970f1147bf74d44__mozilla-nspr-1.7.12-1.1.2.legacy.i386.rpm
dd89685756cbe81a3928075f14310f58ce409af3__mozilla-nss-1.7.12-1.1.2.legacy.i386.rpm

  Above pacakges:
  * Have good RPM GPG signatures, signed by FedoraLegacy key.
  * sha1sums are fine.
  * Install just fine and work well with basic browsing, http, https URLs.
  * All Mozilla Mail functions seem to work well.
  * Previously installed Java interpreter works fine.

22fb3e89d2484c03774aa28756082ad7fd68c9a9__mozilla-chat-1.7.12-1.1.2.legacy.i386.rpm
971284c2c887c7de98cae3fc5fc48c542ff6934f__mozilla-devel-1.7.12-1.1.2.legacy.i386.rpm
e7c1727896f18603d38ad40a6f209d19d3049f0a__mozilla-dom-inspector-1.7.12-1.1.2.legacy.i386.rpm
938aa693e2a7a499a33c6605cfa3a74e8673df27__mozilla-js-debugger-1.7.12-1.1.2.legacy.i386.rpm
cd48424e01cfe88b1f438c932a673b97f2101704__mozilla-nspr-devel-1.7.12-1.1.2.legacy.i386.rpm
e193799b982e920ebb932fcc06c49a5228f704f6__mozilla-nss-devel-1.7.12-1.1.2.legacy.i386.rpm

  Above packages:
  * Have good RPM GPG signatures, signed by FedoraLegacy key.
  * sha1sums are fine.
  * -devel packages installed fine, but did not use them.  (Should someone
    check them to make sure, e.g., epiphany will recompile?)
  * Chatzilla works fine; but only if you remember to unckeck "Work offline"
    from another window.  ;-)
  * mozilla-js-debugger seems to work well, although very slowly on my
    Pentium-class computer.
  * Didn't try mozilla-dom-inspector.

In summary:  VERIFY ++ mozilla-1.7.12.1.1.2.legacy packages

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFD+BONxou1V/j9XZwRAsqZAJ0Y1u58J4DIF0z3z7H0an3+BvTLmQCaAtjT
8DHReoMD+hSh2AovPOyrwto=
=31JH
-----END PGP SIGNATURE-----
Comment 11 Donald Maner 2006-02-21 01:02:32 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the following packages:

rh73:

baf937574b92b01271c70169e5e6465eb7736c81  mozilla-1.7.12-0.73.3.legacy.i386.rpm
4e401f2064201c290aa00527d148141904532d8a  mozilla-chat-1.7.12-0.73.3.legacy.i386.rpm
d97acf0463781ac5600754b02b5a902125df5fd4 
mozilla-devel-1.7.12-0.73.3.legacy.i386.rpm
251eb4a2d0e0f8cf63b7b7975c9819a7e58fd5b3 
mozilla-dom-inspector-1.7.12-0.73.3.legacy.i386.rpm
584062b1c063fb8c2375693b49e48b8ae7530a00 
mozilla-js-debugger-1.7.12-0.73.3.legacy.i386.rpm
aa3594680a3224f6b8b7abb9a6b9585fa6f519c1  mozilla-mail-1.7.12-0.73.3.legacy.i386.rpm
1676c32cd8143b9ff939b45269b2423b50d062f1  mozilla-nspr-1.7.12-0.73.3.legacy.i386.rpm
9d9d350082b38b94d45e458e02f3345b0a4e3ed0 
mozilla-nspr-devel-1.7.12-0.73.3.legacy.i386.rpm
33753a720edea798966550963426db05a409a6c4  mozilla-nss-1.7.12-0.73.3.legacy.i386.rpm
b17dec4e9eab3acca07dc0345d01fa522c3f43d8 
mozilla-nss-devel-1.7.12-0.73.3.legacy.i386.rpm

fc1:

ccc9f1f2f0a31d46cc69af0a7b3fc8279347c855  mozilla-1.7.12-1.1.2.legacy.i386.rpm
22fb3e89d2484c03774aa28756082ad7fd68c9a9  mozilla-chat-1.7.12-1.1.2.legacy.i386.rpm
971284c2c887c7de98cae3fc5fc48c542ff6934f  mozilla-devel-1.7.12-1.1.2.legacy.i386.rpm
e7c1727896f18603d38ad40a6f209d19d3049f0a 
mozilla-dom-inspector-1.7.12-1.1.2.legacy.i386.rpm
938aa693e2a7a499a33c6605cfa3a74e8673df27 
mozilla-js-debugger-1.7.12-1.1.2.legacy.i386.rpm
d6a2a1f6974ab09ec1d02af7592e782c27f578e6  mozilla-mail-1.7.12-1.1.2.legacy.i386.rpm
67cb0d096878aed78036e5ea0970f1147bf74d44  mozilla-nspr-1.7.12-1.1.2.legacy.i386.rpm
cd48424e01cfe88b1f438c932a673b97f2101704 
mozilla-nspr-devel-1.7.12-1.1.2.legacy.i386.rpm
dd89685756cbe81a3928075f14310f58ce409af3  mozilla-nss-1.7.12-1.1.2.legacy.i386.rpm
e193799b982e920ebb932fcc06c49a5228f704f6 
mozilla-nss-devel-1.7.12-1.1.2.legacy.i386.rpm

fc3:

1dc7f066ff6b1edc46037b874c88871b92e689bd  mozilla-1.7.12-1.3.3.legacy.i386.rpm
d42189ed08ecb23f10fa811233191da00a6d2b86  mozilla-chat-1.7.12-1.3.3.legacy.i386.rpm
178fde65f593bfb2c97feef7a9368acd6a85e0a1  mozilla-devel-1.7.12-1.3.3.legacy.i386.rpm
934df1335c0409c5d200d3afcf0c5d1bb619d7a0 
mozilla-dom-inspector-1.7.12-1.3.3.legacy.i386.rpm
44a98a9a93f06916e80028e436f3cb5a7e757403 
mozilla-js-debugger-1.7.12-1.3.3.legacy.i386.rpm
d70a4a67cae1c047ddd515ff466cc3964dc21639  mozilla-mail-1.7.12-1.3.3.legacy.i386.rpm
628cb7537726199cf5ecd459e7cbf2bb27acdca5  mozilla-nspr-1.7.12-1.3.3.legacy.i386.rpm
6c4a6afd3c1b3538a1ab0f691af18b75ae910f0a 
mozilla-nspr-devel-1.7.12-1.3.3.legacy.i386.rpm
6df7e4d99d0b5b0634eaf71816aff3a76308850c  mozilla-nss-1.7.12-1.3.3.legacy.i386.rpm
86a0ea171fa09f02a13307cfd742aa4d7669dbf3 
mozilla-nss-devel-1.7.12-1.3.3.legacy.i386.rpm

3b05d93992aba7369a418d53344250aa275330ac  firefox-1.0.7-1.3.fc3.legacy.i386.rpm

Was able to install successfully.  Tested by browsing a few news sites and
checking my
webmail using https.

FC2 mozilla did not install due to versioning conflicts.

Package devhelp needs mozilla = 37:1.7.6, this is not available.
Package epiphany needs mozilla = 37:1.7.6, this is not available.


+VERIFY rh73,fc1,fc3

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFD+mempxMPKJzn2lIRAg+RAJ41eb/8p0wR/3DCgyEwadCgmtXloACaAl9g
iiWaVGG+1E2t336600PsnL8=
=x9zo
-----END PGP SIGNATURE-----
Comment 12 Marc Deslauriers 2006-02-21 01:09:52 UTC 
Donald, your FC2 machine must not have the latest FL packages on it. devhelp and
epiphany in the official updates directory were made for mozilla-1.7.12.
Comment 13 Pekka Savola 2006-02-21 06:30:09 UTC 
Timeout over in any case...
Comment 14 Eric Jon Rostetter 2006-02-23 18:46:20 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for FC 3 x86_64
 
Downloaded packages:
firefox-1.0.7-1.3.fc3.legacy.x86_64.rpm
 
SHA1 checksums verify okay as 850534b4cfa591372d8245808e46378c5923e086.
 
Package installed fine.  Used by two users over several days.  No problems
noticed.  Used with heavy Javascript use, no problems.  Tried to verify
the long title bug and couldn't cause any problems...
 
Vote for release for FC3 x86_64.  ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFD/gNv4jZRbknHoPIRAuUOAJ9pFHikUGPcto3JL9naU7iVbl5L4gCffDc0
FignsdddlYaZX55Q73VAwus=
=rOU+
-----END PGP SIGNATURE-----
Comment 15 Marc Deslauriers 2006-02-24 00:04:22 UTC 
Packages were released.
Comment 16 David Eisenstein 2006-02-26 09:33:00 UTC 
*** Bug 157350 has been marked as a duplicate of this bug. ***