129123 – Numerous security issues fixed in Mozilla 1.4.3

Bug 129123 - Numerous security issues fixed in Mozilla 1.4.3

Summary: Numerous security issues fixed in Mozilla 1.4.3

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	mozilla
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Christopher Blizzard
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-08-04 08:19 UTC by Mark J. Cox
Modified:	2012-10-15 13:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-08-04 21:49:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2004:421	0	high	SHIPPED_LIVE	Critical: mozilla security update	2004-08-04 04:00:00 UTC

Description Mark J. Cox 2004-08-04 08:19:54 UTC

In addition to bugs 127338 and 127186, the following security issues
were also fixed in Mozilla 1.4.3 (most of these had been previously
fixed in 1.7.*)

        * "During a source code audit, Chris Evans discovered a buffer
        overflow which affects the libpng code inside Mozilla. An
        attacker could create a carefully crafted PNG file in such a
        way that it would cause Mozilla to crash or execute arbitrary
        code when the image was viewed."  CAN-2004-0597 CAN-2004-0599

        * Zen Parse reported improper input validation to the
        SOAPParameter object constructor leading to an integer
        overflow and controllable heap corruption.  Malicious
        JavaScript could be written to utilise this flaw and could
        allow arbitrary code execution.  CAN-2004-0722

        http://bugzilla.mozilla.org/show_bug.cgi?id=236618

        * "Zen Parse reported a flaw in the POP3 capability.  A
        malicious pop3 server could send a carefully crafted response
        that would cause a heap overflow and potentially allow
        execution of arbitrary code as the user running Mozilla."
        CAN-2004-0757

        http://bugzilla.mozilla.org/show_bug.cgi?id=229374

        * "Marcel Boesch found a flaw that allows a CA certificate to
        be imported with a DN the same as that of the built-in CA
        root certificates, which can cause a denial of
        service to SSL pages because the malicious certificate is
treated as
        invalid." CAN-2004-0758

        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186
        http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257559
        http://bugzilla.mozilla.org/show_bug.cgi?id=249004

        * "Met - Martin Hassman reported a flaw in Mozilla that could
        allow malicious Javascript code to upload local files from a
        users machine without requiring confirmation." CAN-2004-0759

        http://bugzilla.mozilla.org/show_bug.cgi?id=241924

       * "Mindlock Security reported a flaw in ftp URI handling.  By
        using a NULL character (%00) in a ftp URI, Mozilla can be
        confused into opening a resource as a different MIME type"
        CAN-2004-0760

        http://bugzilla.mozilla.org/show_bug.cgi?id=250906

        Spoofing issues:

        * "Mozilla does not properly prevent a frame in one domain
        from injecting content into a frame that belongs to another
        domain, which facilitates web site spoofing and other attacks,
        aka the frame injection vulnerability."  CAN-2004-0718

        http://bugzilla.mozilla.org/show_bug.cgi?id=246448
        http://secunia.com/advisories/11978

       * Tolga Tarhan reported a flaw that can allow a malicious web
        page to use a redirect sequence to spoof the security lock
        icon that makes a web page appear to be encrypted."
        CAN-2004-0761

        http://bugzilla.mozilla.org/show_bug.cgi?id=240053

        * "Jesse Ruderman reported a security issue that affects a
        number of browsers including Mozilla that could allow
        malicious websites to install arbitrary extensions by using
        interactive events to manipulate the XPInstall Security dialog
        box." CAN-2004-0762

        http://bugzilla.mozilla.org/show_bug.cgi?id=162020
        http://secunia.com/advisories/11999/

        * "Emmanouel Kellinis discovered a caching flaw in Mozilla
        which allows malicious web sites to spoof certificates of
        trusted web sites via redirects and Javascript that uses the
        "onunload" method." CAN-2004-0763

        http://marc.theaimsgroup.com/?l=bugtraq&m=109087067730938&w=2
        http://bugzilla.mozilla.org/show_bug.cgi?id=253121
        http://secunia.com/advisories/12160/

        * "Mozilla allowed malicious websites to hijack the user
        interface via the "chrome" flag and XML User Interface
        Language (XUL) files."  CAN-2004-0764

        http://bugzilla.mozilla.org/show_bug.cgi?id=244965
        http://secunia.com/advisories/12188/

        * "The cert_TestHostName function in Mozilla only checks the
        hostname portion of a certificate when the hostname portion of
        the URI is not a fully qualified domain name (FQDN).  This
        flaw could be used for spoofing if an attacker had control of
        machines on a default DNS search path." CAN-2004-0765

        http://bugzilla.mozilla.org/show_bug.cgi?id=234058

Comment 1 Mark J. Cox 2004-08-04 11:55:52 UTC

Aug 04 1200UTC - removing embargo

Comment 2 Mark J. Cox 2004-08-04 21:49:26 UTC

An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-421.html

Note You need to log in before you can comment on or make changes to this bug.