Bug 189137

Summary: multiple critical Firefox, Mozilla vulnerabilities (CVE-2006-0749, CVE-2006-1724, et al.)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: firefoxAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: high    
Version: fc3CC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.zerodayinitiative.com/advisories/ZDI-06-009.html
Whiteboard: impact=critical, LEGACY, rh73, rh90, 1, 2, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-06 23:22:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed mozilla Test Update Notification
none
Proposed Test Update Notification for firefox-1.0.8 for FC3
none
Proposed FLSA for mozilla
none
Proposed FLSA for firefox none

Description David Eisenstein 2006-04-17 16:31:17 UTC 
Red Hat has issued RHSA:2006-0328-01 for Firefox
<http://www.redhat.com/archives/enterprise-watch-list/2006-April/msg00002.html>
releasing firefox-1.0.8-1.4.1.

"Critical: Firefox security update
...

"Updated firefox packages that fix several security bugs are now available.

"This update has been rated as having critical security impact by the Red
Hat Security Response Team. ...

"Several bugs were found in the way Firefox processes malformed javascript.
A malicious web page could modify the content of a different open web page,
possibly stealing sensitive information or conducting a cross-site
scripting attack. (CVE-2006-1731, CVE-2006-1732, CVE-2006-1741)

"Several bugs were found in the way Firefox processes certain javascript
actions. A malicious web page could execute arbitrary javascript
instructions with the permissions of 'chrome', allowing the page to steal
sensitive information or install browser malware. (CVE-2006-1727,
CVE-2006-1728, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1742)

"Several bugs were found in the way Firefox processes malformed web pages.
A carefully crafted malicious web page could cause the execution of
arbitrary code as the user running Firefox. (CVE-2006-0749, CVE-2006-1724,
CVE-2006-1730, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739) 

"A bug was found in the way Firefox displays the secure site icon. If a
browser is configured to display the non-default secure site modal warning
dialog, it may be possible to trick a user into believing they are viewing
a secure site. (CVE-2006-1740)

"A bug was found in the way Firefox allows javascript mutation events on
'input' form elements. A malicious web page could be created in such a way
that when a user submits a form, an arbitrary file could be uploaded to the
attacker. (CVE-2006-1729)

"Users of Firefox are advised to upgrade to these updated packages
containing Firefox version 1.0.8 which corrects these issues."
Comment 1 Pekka Savola 2006-04-19 06:08:36 UTC 
Mozilla updates seem to have been pushed out for RHEL as well now.
Comment 2 Marc Deslauriers 2006-04-19 21:40:31 UTC 
I'll tackle this if no one else is currently doing it.
Comment 3 Pekka Savola 2006-04-22 05:01:53 UTC 
Nobody seems to be stepping up...

I could probably do publish QA, depending on whether I have net access on travel.
Comment 4 David Eisenstein 2006-04-22 07:22:26 UTC 
Marc told me this evening that he is building Mozilla and has already
built Firefox on his home machine.  He said he'd post them here in the
next day or so...

He also indicated that we will track both Mozilla and Firefox packages
here in this bug ticket.

Redhat issued RHSA-2006:0329-01 for Mozilla in RHEL's 2.1, 3, & 4.  
<http://rhn.redhat.com/errata/RHSA-2006-0329.html>

I've not seen any Fedora Core packages released yet for Mozilla, and
it appears FC's bugs (for Mozilla) are still embargoed.  I am writing
a note to security-response-team to see if they can open
those bugs up, since those vulnerabilities are now public knowledge.

I will open a new bug report for the related Mozilla Thunderbird bug.
Comment 5 Marc Deslauriers 2006-04-23 19:46:55 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated firefox, mozilla, galeon, devhelp and epiphany packages to QA:

7.3:
066665153a4f3643327f3107a52064081209456a  7.3/galeon-1.2.14-0.73.6.legacy.src.rpm
22bfc4cc06955ba771ed010e97746b9fb1932f07  7.3/mozilla-1.7.13-0.73.1.legacy.src.rpm

9:
eb1ec89fe7e121c788ae9d398d564e546be1fe3a  9/galeon-1.2.14-0.90.6.legacy.src.rpm
3552d71bf822a9ce323700722dea45f60efe4dcb  9/mozilla-1.7.13-0.90.1.legacy.src.rpm

fc1:
595447482cb41a3b58d127662a84f17cb4b3b3aa  1/epiphany-1.0.8-1.fc1.6.legacy.src.rpm
6ef86905444692d9280b26f4d165ad782e6d7476  1/mozilla-1.7.13-1.1.1.legacy.src.rpm

fc2:
6f3eefef4f197341271c7317056c093f19b81ab9  2/devhelp-0.9.1-0.2.10.legacy.src.rpm
e1d4a7372e9ffe1e14669a40f6d742d88602ff1a  2/epiphany-1.2.10-0.2.7.legacy.src.rpm
748cd38b0e47c462802a2bdb92425704f7ae39e0  2/mozilla-1.7.13-1.2.1.legacy.src.rpm

fc3:
a4318f1b301f5fbf51f4d3b77f03809a4e72e42a  3/devhelp-0.9.2-2.3.7.legacy.src.rpm
8e80c9d6d816cd39d70f621d0ef3933b3edcad72  3/epiphany-1.4.9-1.1.legacy.src.rpm
01005aa6085b0dd308cee01b5d224de59d725ea1  3/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm
a98fc53dc8d63604184d55628929e0741519a245  3/mozilla-1.7.13-1.3.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.13-0.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.13-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.6.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.13-1.1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.10.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.13-1.2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/devhelp-0.9.2-2.3.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/epiphany-1.4.9-1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/firefox-1.0.8-1.1.fc3.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/3/mozilla-1.7.13-1.3.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFES9vvLMAs/0C4zNoRAokzAKCf5wI6awU55f2mhXF/ENoExzB2zgCfUBiO
DRWepikHeqWrKSrm4EFKkRM=
=JMzR
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2006-05-02 19:19:43 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches minimal and OK (when they exist at all, e.g., epiphany)

+PUBLISH RHL73, RHL9, FC1, FC2, FC3

Thanks to Marc for the heavy lifting, as usual.

22bfc4cc06955ba771ed010e97746b9fb1932f07  mozilla-1.7.13-0.73.1.legacy.src.rpm
3552d71bf822a9ce323700722dea45f60efe4dcb  mozilla-1.7.13-0.90.1.legacy.src.rpm
6ef86905444692d9280b26f4d165ad782e6d7476  mozilla-1.7.13-1.1.1.legacy.src.rpm
748cd38b0e47c462802a2bdb92425704f7ae39e0  mozilla-1.7.13-1.2.1.legacy.src.rpm
a98fc53dc8d63604184d55628929e0741519a245  mozilla-1.7.13-1.3.1.legacy.src.rpm
01005aa6085b0dd308cee01b5d224de59d725ea1  firefox-1.0.8-1.1.fc3.1.legacy.src.rpm
358c7ef4ce9b3bc4274dd2437fd17bd4e19a6c06  galeon-1.2.14-0.73.6.legacy.src.rpm
eb1ec89fe7e121c788ae9d398d564e546be1fe3a  galeon-1.2.14-0.90.6.legacy.src.rpm
595447482cb41a3b58d127662a84f17cb4b3b3aa  epiphany-1.0.8-1.fc1.6.legacy.src.rpm
e1d4a7372e9ffe1e14669a40f6d742d88602ff1a  epiphany-1.2.10-0.2.7.legacy.src.rpm
8e80c9d6d816cd39d70f621d0ef3933b3edcad72  epiphany-1.4.9-1.1.legacy.src.rpm
6f3eefef4f197341271c7317056c093f19b81ab9  devhelp-0.9.1-0.2.10.legacy.src.rpm
a4318f1b301f5fbf51f4d3b77f03809a4e72e42a  devhelp-0.9.2-2.3.7.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEV7JVGHbTkzxSL7QRAj3fAJ9m1HXTNHFtOSAl0vW0XOGD4q8WNwCfc34G
/zLStcC/dJetzQ/piLD0WOE=
=sn8h
-----END PGP SIGNATURE-----
Comment 7 David Eisenstein 2006-05-13 07:00:43 UTC 
Created attachment 128973 [details]
Proposed mozilla Test Update Notification

Here's a proposed Test Update Notification for Mozilla and its dependents.
Needs to have exact package names/SHA1-sums filled in once packages are built
and fully ready.
Comment 8 David Eisenstein 2006-05-13 07:07:35 UTC 
Created attachment 128974 [details]
Proposed Test Update Notification for firefox-1.0.8 for FC3

Here's a proposed Test Update Notification for Mozilla Firefox.
Needs to have exact package names/SHA1-sums filled in once packages are built
and fully ready.
Comment 9 Marc Deslauriers 2006-05-15 23:41:05 UTC 
These packages were pushed to updates-testing.
Comment 10 Pekka Savola 2006-05-16 12:06:19 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signature OK, upgrades OK, basic browsing including Java
plugin seems to work fine.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFEacG4GHbTkzxSL7QRAtJ6AJ45/pDeOTcg6fN5Xs8/yTRunVFdIgCcCrU8
b5t9549NhjP4m16YlJbDGCE=
=N2Ub
-----END PGP SIGNATURE-----

Timeout in 2 weeks.
Comment 11 David Eisenstein 2006-05-26 12:31:27 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Testing for FC1 versions of mozilla and epiphany:

SHA1SUM					  Package
========================================__=========================================
3d510a0a221fd0af801d32075cfec02b54e07422__mozilla-1.7.13-1.1.1.legacy.i386.rpm
fac226fb8ed3c08bd5c38729ca4bdcb7cbfa7155__mozilla-mail-1.7.13-1.1.1.legacy.i386.rpm
50de7263571cfdca103af679b2b4824cf5e4b733__mozilla-nspr-1.7.13-1.1.1.legacy.i386.rpm
231222af647baca7cf8ad3aa70102baf065844ea__mozilla-nss-1.7.13-1.1.1.legacy.i386.rpm
4278190ae02b1ba55ab8f7bff797aa0b7c6367cf__epiphany-1.0.8-1.fc1.6.legacy.i386.rpm

 *  Packages install fine
 *  Packages run fine
 *  Have been running mozilla and mozilla-mail for about a week,
    no issues to report.

VERIFY++  FC1 mozilla and epiphany

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFEdvZ8xou1V/j9XZwRAlBeAKDpLGRlC9ALKW2ZPEAuXBSi1eBtsQCgvgzI
vS5xggcwBeqwQXn3c5yiQVM=
=5H0C
-----END PGP SIGNATURE-----
Comment 12 Pekka Savola 2006-05-26 14:52:37 UTC 
Timeout shortened to one week, and thus over.
Comment 13 David Eisenstein 2006-06-03 10:17:26 UTC 
Created attachment 130447 [details]
Proposed FLSA for mozilla
Comment 14 David Eisenstein 2006-06-05 09:05:13 UTC 
Created attachment 130483 [details]
Proposed FLSA for firefox
Comment 15 Marc Deslauriers 2006-06-06 23:22:29 UTC 
Packages were released to updates.