Bug 454697 (CVE-2008-2933)

Summary: CVE-2008-2933 Firefox command line URL launches multi-tabs
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: djuran, security-response-team
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.9.0.1-1.fc9 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-18 08:17:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 454484    
Bug Blocks:    

Description Josh Bressers 2008-07-09 19:26:13 UTC 
Passing the firefox command a URL containing a pipe "|" symbol will cause
firefox to open multiple tabs.  If firefox is already running this flaw will try
to open the URL as a single URL, not as multiple tabs.

This flaw can lead to an arbitrarily named file gaining privileged access to the
browser session.

See the upstream bug for more details.
Comment 7 Josh Bressers 2008-07-15 14:32:24 UTC 
This issue does not affect SeaMonkey, it is only a Firefox issue.
Comment 8 Tomas Hoger 2008-07-16 07:17:57 UTC 
Public now via MFSA 2008-35

http://www.mozilla.org/security/announce/2008/mfsa2008-35.html

Fixed in:
  Firefox 3.0.1
  Firefox 2.0.0.16
Comment 10 Fedora Update System 2008-07-18 08:05:26 UTC 
xulrunner-1.9.0.1-1.fc9, epiphany-extensions-2.22.1-3.fc9, firefox-3.0.1-1.fc9, epiphany-2.22.2-3.fc9, yelp-2.22.1-4.fc9, devhelp-0.19.1-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-07-18 08:06:37 UTC 
chmsee-1.0.0-3.31.fc8, gnome-web-photo-0.3-12.fc8, openvrml-0.17.6-6.fc8, gnome-python2-extras-2.19.1-16.fc8, gtkmozembedmm-1.4.2.cvs20060817-22.fc8, epiphany-2.20.3-6.fc8, firefox-2.0.0.16-1.fc8, galeon-2.0.4-4.fc8.3, Miro-1.2.3-3.fc8, yelp-2.20.0-11.fc8, cairo-dock-1.6.1.1-1.fc8.1, epiphany-extensions-2.20.1-9.fc8, kazehakase-0.5.4-2.fc8.3, blam-1.8.3-17.fc8, devhelp-0.16.1-9.fc8, liferea-1.4.15-3.fc8, ruby-gnome2-0.17.0-0.3.rc1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Red Hat Product Security 2008-07-18 08:17:18 UTC 
This issue was addressed in:

Red Hat Enterprise Linux:
  http://rhn.redhat.com/errata/RHSA-2008-0598.html
  http://rhn.redhat.com/errata/RHSA-2008-0597.html

Fedora:
  https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6491
  https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6518
Comment 13 John Summerfield 2008-07-22 02:16:54 UTC 
As of Jul 22, this does not install on F9 as it requires a superseded version of
xulrunner:

Resolving Dependencies
--> Running transaction check
---> Package firefox.x86_64 0:3.0.1-1.fc9 set to be updated
--> Processing Dependency: gecko-libs = 1.9 for package: gnome-python2-gtkmozembed
Matched xulrunner-1.9-0.60.beta5.fc9.x86_64 to require for gecko-libs
---> Package devhelp.x86_64 0:0.19.1-3.fc9 set to be updated
---> Package xulrunner.x86_64 0:1.9.0.1-1.fc9 set to be updated
---> Package yelp.x86_64 0:2.22.1-4.fc9 set to be updated
---> Package xulrunner-devel.x86_64 0:1.9.0.1-1.fc9 set to be updated
--> Finished Dependency Resolution
gnome-python2-gtkmozembed-2.19.1-16.fc9.x86_64 from installed has depsolving
problems
  --> Missing Dependency: gecko-libs = 1.9 is needed by package
gnome-python2-gtkmozembed-2.19.1-16.fc9.x86_64 (installed)
Skip-broken round 1
--> Running transaction check
---> Package xulrunner.x86_64 0:1.9.0.1-1.fc9 set to be updated
--> Processing Dependency: xulrunner = 1.9.0.1-1.fc9 for package: xulrunner-devel
--> Processing Dependency: gecko-libs = 1.9.0.1 for package: devhelp
--> Processing Dependency: gecko-libs = 1.9.0.1 for package: yelp
--> Processing Dependency: gecko-libs = 1.9.0.1 for package: firefox
--> Finished Dependency Resolution
firefox-3.0.1-1.fc9.x86_64 from updates has depsolving problems
  --> Missing Dependency: gecko-libs = 1.9.0.1 is needed by package
firefox-3.0.1-1.fc9.x86_64 (updates)
yelp-2.22.1-4.fc9.x86_64 from updates has depsolving problems
  --> Missing Dependency: gecko-libs = 1.9.0.1 is needed by package
yelp-2.22.1-4.fc9.x86_64 (updates)
xulrunner-devel-1.9.0.1-1.fc9.x86_64 from updates has depsolving problems
  --> Missing Dependency: xulrunner = 1.9.0.1-1.fc9 is needed by package
xulrunner-devel-1.9.0.1-1.fc9.x86_64 (updates)
devhelp-0.19.1-3.fc9.x86_64 from updates has depsolving problems
  --> Missing Dependency: gecko-libs = 1.9.0.1 is needed by package
devhelp-0.19.1-3.fc9.x86_64 (updates)
Skip-broken round 2
Skip-broken took 2 rounds 

Packages skipped because of dependency problems:
    devhelp-0.19.1-3.fc9.x86_64 from updates
    firefox-3.0.1-1.fc9.x86_64 from updates
    xulrunner-1.9.0.1-1.fc9.x86_64 from updates
    xulrunner-devel-1.9.0.1-1.fc9.x86_64 from updates
    yelp-2.22.1-4.fc9.x86_64 from updates
Depsolve time: 5.343
[root@potoroo ~]#
Comment 14 Tomas Hoger 2008-07-22 06:52:36 UTC 
John, please file a bug report against gnome-python2-gtkmozembed, which needs to
be rebuilt against new xulrunner package providing gecko-libs 1.9.0.1.
Comment 15 Tomas Hoger 2008-07-22 07:25:15 UTC 
(In reply to comment #14)
> John, please file a bug report against gnome-python2-gtkmozembed, which needs
> to be rebuilt against new xulrunner package providing gecko-libs 1.9.0.1.

Rebuilds were already submitted as updated to Bodhi:

https://admin.fedoraproject.org/updates/F9/pending/Miro-1.2.4-2.fc9,gnome-python2-extras-2.19.1-17.fc9

Or use these instructions to get new packages while they are not pushed to stable:

http://axelilly.wordpress.com/2008/07/21/help-test-recent-xulrunner-updates/