In addition to bugs 127338 and 127186, the following security issues were also fixed in Mozilla 1.4.3 (most of these had been previously fixed in 1.7.*) * "During a source code audit, Chris Evans discovered a buffer overflow which affects the libpng code inside Mozilla. An attacker could create a carefully crafted PNG file in such a way that it would cause Mozilla to crash or execute arbitrary code when the image was viewed." CAN-2004-0597 CAN-2004-0599 * Zen Parse reported improper input validation to the SOAPParameter object constructor leading to an integer overflow and controllable heap corruption. Malicious JavaScript could be written to utilise this flaw and could allow arbitrary code execution. CAN-2004-0722 http://bugzilla.mozilla.org/show_bug.cgi?id=236618 * "Zen Parse reported a flaw in the POP3 capability. A malicious pop3 server could send a carefully crafted response that would cause a heap overflow and potentially allow execution of arbitrary code as the user running Mozilla." CAN-2004-0757 http://bugzilla.mozilla.org/show_bug.cgi?id=229374 * "Marcel Boesch found a flaw that allows a CA certificate to be imported with a DN the same as that of the built-in CA root certificates, which can cause a denial of service to SSL pages because the malicious certificate is treated as invalid." CAN-2004-0758 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257559 http://bugzilla.mozilla.org/show_bug.cgi?id=249004 * "Met - Martin Hassman reported a flaw in Mozilla that could allow malicious Javascript code to upload local files from a users machine without requiring confirmation." CAN-2004-0759 http://bugzilla.mozilla.org/show_bug.cgi?id=241924 * "Mindlock Security reported a flaw in ftp URI handling. By using a NULL character (%00) in a ftp URI, Mozilla can be confused into opening a resource as a different MIME type" CAN-2004-0760 http://bugzilla.mozilla.org/show_bug.cgi?id=250906 Spoofing issues: * "Mozilla does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability." CAN-2004-0718 http://bugzilla.mozilla.org/show_bug.cgi?id=246448 http://secunia.com/advisories/11978 * Tolga Tarhan reported a flaw that can allow a malicious web page to use a redirect sequence to spoof the security lock icon that makes a web page appear to be encrypted." CAN-2004-0761 http://bugzilla.mozilla.org/show_bug.cgi?id=240053 * "Jesse Ruderman reported a security issue that affects a number of browsers including Mozilla that could allow malicious websites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box." CAN-2004-0762 http://bugzilla.mozilla.org/show_bug.cgi?id=162020 http://secunia.com/advisories/11999/ * "Emmanouel Kellinis discovered a caching flaw in Mozilla which allows malicious web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method." CAN-2004-0763 http://marc.theaimsgroup.com/?l=bugtraq&m=109087067730938&w=2 http://bugzilla.mozilla.org/show_bug.cgi?id=253121 http://secunia.com/advisories/12160/ * "Mozilla allowed malicious websites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files." CAN-2004-0764 http://bugzilla.mozilla.org/show_bug.cgi?id=244965 http://secunia.com/advisories/12188/ * "The cert_TestHostName function in Mozilla only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN). This flaw could be used for spoofing if an attacker had control of machines on a default DNS search path." CAN-2004-0765 http://bugzilla.mozilla.org/show_bug.cgi?id=234058
Aug 04 1200UTC - removing embargo
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2004-421.html