Bug 180036
Summary: | CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 critical mozilla vulnerabilities | ||
---|---|---|---|
Product: | [Retired] Fedora Legacy | Reporter: | Pekka Savola <pekkas> |
Component: | mozilla | Assignee: | Fedora Legacy Bugs <bugs> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | urgent | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bressers, deisenst, donjr |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://rhn.redhat.com/errata/RHSA-2006-0199.html | ||
Whiteboard: | 1, 2, 3, rh73, rh90, impact=critical | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-02-24 00:04:22 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Pekka Savola
2006-02-04 22:30:18 UTC
Note: the same bugs affect firefox as well. Should be a separate entry for that package where distributions provide it? Another note: firefox-1.0.7-1.2.fc4 binaries from FC4 updates happen to work for FC3. This is not the case for mozilla which needs to be recompiled. In this particular case mozilla-1.7.12-1.5.2.src.rpm does not require any changes at all with FC3 save a release identifier string. Nah, we'll include firefox here in the same bug. I am currently building packages for this bug for QA. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated mozilla and firefox packages to QA for rh73, rh9, fc1, fc2 and fc3: Changelog: * Sun Feb 05 2006 Marc Deslauriers <marcdeslauriers> 37:1.7.12-0.73.3.legacy - - Fix CVE-2005-4134, CVE-2006-0292, CVE-2006-0296 7ede8588c1814482079e292f847f74d738496ab7 7.3/mozilla-1.7.12-0.73.3.legacy.src.rpm 94250dcf36503bf9111e54b12099b1b1a6b0e56b 9/mozilla-1.7.12-0.90.2.legacy.src.rpm 85015f00283873a28caefec6a341534f0bb08b82 1/mozilla-1.7.12-1.1.2.legacy.src.rpm 97645d24058b496f2a98141ed64336a409b1af31 2/mozilla-1.7.12-1.2.2.legacy.src.rpm c213be4b31244efafb79de82b223affe99d89090 3/mozilla-1.7.12-1.3.2.legacy.src.rpm 7465aba4ba97dcfd9f9ca36c6682ad12862fafd2 3/firefox-1.0.7-1.2.fc3.legacy.src.rpm 7.3: http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.12-0.73.3.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ 9: http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.12-0.90.2.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/ fc1: http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.12-1.1.2.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/1/ fc2: http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.12-1.2.2.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/2/ fc3: http://www.infostrategique.com/linuxrpms/legacy/3/mozilla-1.7.12-1.3.2.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/firefox-1.0.7-1.2.fc3.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/3/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFD6URjLMAs/0C4zNoRAsfPAKCZYzzUtOAcEqT7J73AdBZwwUO+BQCgs64t 7YGTrM8feocnRXuBj1oBgro= =bwd3 -----END PGP SIGNATURE----- There is another bug, CVE-2006-0295, "Mozilla QueryInterface Memory Corruption Vulnerability". Does this affect us? From Mozilla Foundation Security Advisory 2006-04 (<http://www.mozilla.org/security/announce/mfsa2006-04.html>): "Calling the QueryInterface method of the built-in Location and Navigator objects causes memory corruption that might be exploitable to run arbitrary code. "This flaw appears to have been introduced during development of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older Mozilla Suite 1.7 do not appear to be vulnerable. "Note: Thunderbird 1.5 could be vulnerable if JavaScript is enabled in mail. This is not the default setting and we strongly discourage users from turning on JavaScript in mail. Thunderbird is not vulnerable in its default configuration. "Update (7 February 2006) ------------------------- "H D Moore of the Metasploit Project published a working exploit for the Linux version of Firefox 1.5 on milw0rm. Severity upgraded to critical." "Workaround ----------- "Upgrade to the fixed versions. Do not enable JavaScript in Thunderbird or SeaMonkey mail. "References ----------- https://bugzilla.mozilla.org/show_bug.cgi?id=319296 CVE-2006-0295 http://www.milw0rm.com/id.php?id=1474" Well, if I actually read what I just posted, "This flaw appears to have been introduced during development of Firefox 1.5/SeaMonkey 1.0 -- Firefox 1.0 and the older Mozilla Suite 1.7 do not appear to be vulnerable." ... then we would not be vulnerable to this in any products we maintain, right? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches verified to be identical to upstream +PUBLISH RHL73, RHL9, FC1, FC2, FC3 7ede8588c1814482079e292f847f74d738496ab7 mozilla-1.7.12-0.73.3.legacy.src.rpm 94250dcf36503bf9111e54b12099b1b1a6b0e56b mozilla-1.7.12-0.90.2.legacy.src.rpm 85015f00283873a28caefec6a341534f0bb08b82 mozilla-1.7.12-1.1.2.legacy.src.rpm 97645d24058b496f2a98141ed64336a409b1af31 mozilla-1.7.12-1.2.2.legacy.src.rpm c213be4b31244efafb79de82b223affe99d89090 mozilla-1.7.12-1.3.2.legacy.src.rpm 7465aba4ba97dcfd9f9ca36c6682ad12862fafd2 firefox-1.0.7-1.2.fc3.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD6hTGGHbTkzxSL7QRAtCPAKDBEsTmuFDjQxYmtq0uqWQDwH+CPwCfc2Ix dL3gsMNl51Bp9l7qdswv/x4= =Rddr -----END PGP SIGNATURE----- Packages were pushed to updates-testing New policy: automatic accept after two weeks if no negative feedback. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for RHL9: upgrades fine, GPG signatures fine, basic web browsing seems to work fine (tested https, java, javascript). +VERIFY RHL9 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFD9AfFGHbTkzxSL7QRAo0vAJ9tJ/1ifMl0HzObLr5RhiFxl/2sIwCgjMhF y2XYoIP9p2A6Zzqf2KUeNeI= =fnRK -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA testing for FC1's version of Mozilla 1.7.12, currently in updates- testing. ccc9f1f2f0a31d46cc69af0a7b3fc8279347c855__mozilla-1.7.12-1.1.2.legacy.i386.rpm d6a2a1f6974ab09ec1d02af7592e782c27f578e6__mozilla-mail-1.7.12-1.1.2.legacy.i386.rpm 67cb0d096878aed78036e5ea0970f1147bf74d44__mozilla-nspr-1.7.12-1.1.2.legacy.i386.rpm dd89685756cbe81a3928075f14310f58ce409af3__mozilla-nss-1.7.12-1.1.2.legacy.i386.rpm Above pacakges: * Have good RPM GPG signatures, signed by FedoraLegacy key. * sha1sums are fine. * Install just fine and work well with basic browsing, http, https URLs. * All Mozilla Mail functions seem to work well. * Previously installed Java interpreter works fine. 22fb3e89d2484c03774aa28756082ad7fd68c9a9__mozilla-chat-1.7.12-1.1.2.legacy.i386.rpm 971284c2c887c7de98cae3fc5fc48c542ff6934f__mozilla-devel-1.7.12-1.1.2.legacy.i386.rpm e7c1727896f18603d38ad40a6f209d19d3049f0a__mozilla-dom-inspector-1.7.12-1.1.2.legacy.i386.rpm 938aa693e2a7a499a33c6605cfa3a74e8673df27__mozilla-js-debugger-1.7.12-1.1.2.legacy.i386.rpm cd48424e01cfe88b1f438c932a673b97f2101704__mozilla-nspr-devel-1.7.12-1.1.2.legacy.i386.rpm e193799b982e920ebb932fcc06c49a5228f704f6__mozilla-nss-devel-1.7.12-1.1.2.legacy.i386.rpm Above packages: * Have good RPM GPG signatures, signed by FedoraLegacy key. * sha1sums are fine. * -devel packages installed fine, but did not use them. (Should someone check them to make sure, e.g., epiphany will recompile?) * Chatzilla works fine; but only if you remember to unckeck "Work offline" from another window. ;-) * mozilla-js-debugger seems to work well, although very slowly on my Pentium-class computer. * Didn't try mozilla-dom-inspector. In summary: VERIFY ++ mozilla-1.7.12.1.1.2.legacy packages -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFD+BONxou1V/j9XZwRAsqZAJ0Y1u58J4DIF0z3z7H0an3+BvTLmQCaAtjT 8DHReoMD+hSh2AovPOyrwto= =31JH -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the following packages: rh73: baf937574b92b01271c70169e5e6465eb7736c81 mozilla-1.7.12-0.73.3.legacy.i386.rpm 4e401f2064201c290aa00527d148141904532d8a mozilla-chat-1.7.12-0.73.3.legacy.i386.rpm d97acf0463781ac5600754b02b5a902125df5fd4 mozilla-devel-1.7.12-0.73.3.legacy.i386.rpm 251eb4a2d0e0f8cf63b7b7975c9819a7e58fd5b3 mozilla-dom-inspector-1.7.12-0.73.3.legacy.i386.rpm 584062b1c063fb8c2375693b49e48b8ae7530a00 mozilla-js-debugger-1.7.12-0.73.3.legacy.i386.rpm aa3594680a3224f6b8b7abb9a6b9585fa6f519c1 mozilla-mail-1.7.12-0.73.3.legacy.i386.rpm 1676c32cd8143b9ff939b45269b2423b50d062f1 mozilla-nspr-1.7.12-0.73.3.legacy.i386.rpm 9d9d350082b38b94d45e458e02f3345b0a4e3ed0 mozilla-nspr-devel-1.7.12-0.73.3.legacy.i386.rpm 33753a720edea798966550963426db05a409a6c4 mozilla-nss-1.7.12-0.73.3.legacy.i386.rpm b17dec4e9eab3acca07dc0345d01fa522c3f43d8 mozilla-nss-devel-1.7.12-0.73.3.legacy.i386.rpm fc1: ccc9f1f2f0a31d46cc69af0a7b3fc8279347c855 mozilla-1.7.12-1.1.2.legacy.i386.rpm 22fb3e89d2484c03774aa28756082ad7fd68c9a9 mozilla-chat-1.7.12-1.1.2.legacy.i386.rpm 971284c2c887c7de98cae3fc5fc48c542ff6934f mozilla-devel-1.7.12-1.1.2.legacy.i386.rpm e7c1727896f18603d38ad40a6f209d19d3049f0a mozilla-dom-inspector-1.7.12-1.1.2.legacy.i386.rpm 938aa693e2a7a499a33c6605cfa3a74e8673df27 mozilla-js-debugger-1.7.12-1.1.2.legacy.i386.rpm d6a2a1f6974ab09ec1d02af7592e782c27f578e6 mozilla-mail-1.7.12-1.1.2.legacy.i386.rpm 67cb0d096878aed78036e5ea0970f1147bf74d44 mozilla-nspr-1.7.12-1.1.2.legacy.i386.rpm cd48424e01cfe88b1f438c932a673b97f2101704 mozilla-nspr-devel-1.7.12-1.1.2.legacy.i386.rpm dd89685756cbe81a3928075f14310f58ce409af3 mozilla-nss-1.7.12-1.1.2.legacy.i386.rpm e193799b982e920ebb932fcc06c49a5228f704f6 mozilla-nss-devel-1.7.12-1.1.2.legacy.i386.rpm fc3: 1dc7f066ff6b1edc46037b874c88871b92e689bd mozilla-1.7.12-1.3.3.legacy.i386.rpm d42189ed08ecb23f10fa811233191da00a6d2b86 mozilla-chat-1.7.12-1.3.3.legacy.i386.rpm 178fde65f593bfb2c97feef7a9368acd6a85e0a1 mozilla-devel-1.7.12-1.3.3.legacy.i386.rpm 934df1335c0409c5d200d3afcf0c5d1bb619d7a0 mozilla-dom-inspector-1.7.12-1.3.3.legacy.i386.rpm 44a98a9a93f06916e80028e436f3cb5a7e757403 mozilla-js-debugger-1.7.12-1.3.3.legacy.i386.rpm d70a4a67cae1c047ddd515ff466cc3964dc21639 mozilla-mail-1.7.12-1.3.3.legacy.i386.rpm 628cb7537726199cf5ecd459e7cbf2bb27acdca5 mozilla-nspr-1.7.12-1.3.3.legacy.i386.rpm 6c4a6afd3c1b3538a1ab0f691af18b75ae910f0a mozilla-nspr-devel-1.7.12-1.3.3.legacy.i386.rpm 6df7e4d99d0b5b0634eaf71816aff3a76308850c mozilla-nss-1.7.12-1.3.3.legacy.i386.rpm 86a0ea171fa09f02a13307cfd742aa4d7669dbf3 mozilla-nss-devel-1.7.12-1.3.3.legacy.i386.rpm 3b05d93992aba7369a418d53344250aa275330ac firefox-1.0.7-1.3.fc3.legacy.i386.rpm Was able to install successfully. Tested by browsing a few news sites and checking my webmail using https. FC2 mozilla did not install due to versioning conflicts. Package devhelp needs mozilla = 37:1.7.6, this is not available. Package epiphany needs mozilla = 37:1.7.6, this is not available. +VERIFY rh73,fc1,fc3 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.7 (GNU/Linux) iD8DBQFD+mempxMPKJzn2lIRAg+RAJ41eb/8p0wR/3DCgyEwadCgmtXloACaAl9g iiWaVGG+1E2t336600PsnL8= =x9zo -----END PGP SIGNATURE----- Donald, your FC2 machine must not have the latest FL packages on it. devhelp and epiphany in the official updates directory were made for mozilla-1.7.12. Timeout over in any case... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for FC 3 x86_64 Downloaded packages: firefox-1.0.7-1.3.fc3.legacy.x86_64.rpm SHA1 checksums verify okay as 850534b4cfa591372d8245808e46378c5923e086. Package installed fine. Used by two users over several days. No problems noticed. Used with heavy Javascript use, no problems. Tried to verify the long title bug and couldn't cause any problems... Vote for release for FC3 x86_64. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFD/gNv4jZRbknHoPIRAuUOAJ9pFHikUGPcto3JL9naU7iVbl5L4gCffDc0 FignsdddlYaZX55Q73VAwus= =rOU+ -----END PGP SIGNATURE----- Packages were released. *** Bug 157350 has been marked as a duplicate of this bug. *** |