Description of problem: A release 1.7.8 of mozilla fixes three (published and well known by now) security problems. MFSA 2005-44 Privilege escalation via non-DOM property overrides MFSA 2005-43 "Wrapped" javascript: urls bypass security checks MFSA 2005-42 Code execution via javascript: IconURL Two of these are marked at http://www.mozilla.org/projects/security/known-vulnerabilities.html as critical and the third high (all three are "critical" for firefox). ftp://ftp.harddata.com/pub/Legacy_srpms/mozilla-1.7.8-0.73.0.legacy.src.rpm is a source rpm for RHL7.3. A spec file for this is is really a "merge" of a spec from mozilla-1.7.8-1.3.1.src.rpm (FC3 updates) and a spec from mozilla-1.7.7-0.73.2.legacy.src.rpm. Something similar can be done for other Legacy releses. Galeon, and other browsers using mozilla engine, has to be recompiled as well but this is straightforward. Sample spec modifications for RHL7.3 are attached. Version-Release number of selected component (if applicable): mozilla-1.7.7 releases.
Created attachment 114551 [details] sample modifications of a spec file to recompile galeon with mozilla-1.7.8 Galeon recompiled with such spec, and obviously mozilla-1.7.8 engine, is used to create this report and attachment.
Note. In mozilla-1.7.8-1.3.1.src.rpm a check for JVM version was simply removed in /usr/bin/mozilla (which is a shell script created from mozilla.sh.in in sources). This check indeed does not make sense in more recent distributions as such old versions of JVM which can trigger some action from this check simply cannot be used there and check itself is not really correctly coded. Maybe with RHL7.3 such old version of JVM could be possibly used, although it really should not be regardless, so this check may have its place and even as it is written is not causing troubles. Something to think about. In a sample mozilla-1.7.7-0.73.2.legacy.src.rpm a skeleton script 'mozilla.sh.in' is inherited from mozilla-1.7.8-1.3.1.src.rpm and not from 1.7.7 sources.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated rh7.3 mozilla and galeon packages to QA: * Mon May 23 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.8-0.73.1.legacy - - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3 - - Added missing freetype-devel BuildRequires - - Fix missing icons in desktop files a5f7caabcb811d3ed9c0bef0368a31d7ba81df1c galeon-1.2.14-0.73.3.legacy.i386.rpm 9b81e5327cbad782b60504f1324e6b2436f5b2ab galeon-1.2.14-0.73.3.legacy.src.rpm 7f1bc65d10a46148711d79a63913c87639fb88fc mozilla-1.7.8-0.73.1.legacy.i386.rpm f7985fa3caf34c8ea75ebcb86fcc463346924c6d mozilla-1.7.8-0.73.1.legacy.src.rpm 88e28cbea39cc2ce902d29690dcf92dc04ef19fb mozilla-chat-1.7.8-0.73.1.legacy.i386.rpm 6ff42bded9eade65f546467b83dbf5efeb883eba mozilla-devel-1.7.8-0.73.1.legacy.i386.rpm 0e3a3e83205d6232b58c5459785445cf7b7a3b53 mozilla-dom-inspector-1.7.8-0.73.1.legacy.i386.rpm a96e24b9a8f9c6dbeb2df82f60e721f7634bb2ea mozilla-js-debugger-1.7.8-0.73.1.legacy.i386.rpm 49210647e7029a23bb596fb956feaa33907c3503 mozilla-mail-1.7.8-0.73.1.legacy.i386.rpm 0fb7692c5aed35434d76a6b69aeaaf1e05795aeb mozilla-nspr-1.7.8-0.73.1.legacy.i386.rpm 82961d7b19dd28e3e3184b9de070667ece5d5545 mozilla-nspr-devel-1.7.8-0.73.1.legacy.i386.rpm 021c4c74c7e500799a82d8da9edbc1463247392a mozilla-nss-1.7.8-0.73.1.legacy.i386.rpm c849a0102d89c613adbcd86bdb514ea9f38e07c5 mozilla-nss-devel-1.7.8-0.73.1.legacy.i386.rpm Source: http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.3.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.8-0.73.1.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/7.3/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCkjtMLMAs/0C4zNoRArQmAJ9uSM5vPCDOB4RccZDaHqpvQeF0GwCeL09H Uco5ymXkIZ1BKha+S7VWQx4= =T/re -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated rh9 mozilla and galeon packages to QA: * Mon May 23 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.8-0.90.1.legacy - - Rebuilt as a Fedora Legacy update for Red Hat Linux 9 - - Disabled desktop-file-utils - - Disabled gtk2 - - Added missing BuildRequires - - Force build with gcc296 to remain compatible with plugins - - Added xft font preferences and patch back in - - Removed mozilla-compose.desktop 74b84ca814872219997238ab1064a4c260a9241f mozilla-1.7.8-0.90.1.legacy.i386.rpm 05e70fb0e6f31d707d38f46b3bdfca32aa531a7e mozilla-1.7.8-0.90.1.legacy.src.rpm d19011b0c6f8695ba54e8c4103cea802d51fef5d mozilla-chat-1.7.8-0.90.1.legacy.i386.rpm 78fd939f19a2c1959f8c51eb38ca8d96d05c2c7a mozilla-devel-1.7.8-0.90.1.legacy.i386.rpm e19796d368bbbe83aa2fe5633d1320e65d4dafb9 mozilla-dom-inspector-1.7.8-0.90.1.legacy.i386.rpm 5d6f5fe645e6bb88eed8245a0f26140df8563626 mozilla-js-debugger-1.7.8-0.90.1.legacy.i386.rpm 11d3531c4dc1eb8aeaac3d958e3b87ff99eaa9b4 mozilla-mail-1.7.8-0.90.1.legacy.i386.rpm 8579c9a4541fc7c873d1ca250e7ab7d407b299a7 mozilla-nspr-1.7.8-0.90.1.legacy.i386.rpm 48b07f732bfc2392f24a775a4638649c9ba065c1 mozilla-nspr-devel-1.7.8-0.90.1.legacy.i386.rpm b785cdf37bb7d7c162c80ccb4c4fa5ba48b2f640 mozilla-nss-1.7.8-0.90.1.legacy.i386.rpm 6710b1e347d8c5c799eac40e01512a5cccb6be9e mozilla-nss-devel-1.7.8-0.90.1.legacy.i386.rpm 104cef5bf4b755e40fede1c7c884129980172a9c galeon-1.2.14-0.90.3.legacy.i386.rpm d7756af8076b3dd957d9ff6bd9d61b3340128f11 galeon-1.2.14-0.90.3.legacy.src.rpm Source: http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.8-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.3.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/9/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCkogqLMAs/0C4zNoRAldeAKCUuZkbJcc+lTzGjP6jTx8sWqYW4ACgsEIK M/wXUJY9qA0yVQ2VHf/C5Ag= =dg9d -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated fc1 mozilla and epiphany packages to QA: * Mon May 23 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.8-1.1.1.legacy - - Rebuilt as Fedora Legacy update for Fedora Core 1 - - Changed useragent vendor tag to Fedora - - Removed Network category from mozilla.desktop - - Added missing gnome-vfs2-devel and desktop-file-utils to BuildRequires b65d512536e34b6d509dac6538fad35ca5e8c00a mozilla-1.7.8-1.1.1.legacy.i386.rpm d553a473ae05fa4d60f8b85ed3244370edabadad mozilla-1.7.8-1.1.1.legacy.src.rpm 128f8d1bb20b3147fd9661d6870f16d2950f1138 mozilla-chat-1.7.8-1.1.1.legacy.i386.rpm 16d1e39862418b6e31a813e03c4641b606890aa8 mozilla-devel-1.7.8-1.1.1.legacy.i386.rpm 76dcd1d7752d320e125f1b3ca99b16d3c1b86140 mozilla-dom-inspector-1.7.8-1.1.1.legacy.i386.rpm d53696136f131c5ee783e5c4c304dc5b34a76030 mozilla-js-debugger-1.7.8-1.1.1.legacy.i386.rpm cc5fa86b1f2796ef98115db8eded557fea0f5ba6 mozilla-mail-1.7.8-1.1.1.legacy.i386.rpm d46a9f47d8327d675f9f0d8cdfdddc83bc17d06a mozilla-nspr-1.7.8-1.1.1.legacy.i386.rpm 3f1c1c92ac1d1327b2baa6d26a688f0fc2af6b14 mozilla-nspr-devel-1.7.8-1.1.1.legacy.i386.rpm 8b7df9ee281eed291408aaaaf9c33f6876a01c85 mozilla-nss-1.7.8-1.1.1.legacy.i386.rpm 7da1e2485c378a4bfec12e34a57c2ae335e1e56e mozilla-nss-devel-1.7.8-1.1.1.legacy.i386.rpm 6e457a70ff75c5abce466442777d178bbbd61997 epiphany-1.0.8-1.fc1.3.legacy.i386.rpm bf2460ac1c0e4fc1aa85985c0d1ff7e73e62160a epiphany-1.0.8-1.fc1.3.legacy.src.rpm Source: http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.8-1.1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.3.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/1/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCk9/pLMAs/0C4zNoRAg42AJ0X0q8Dmqd+q+rR1SJ0P7V3KqgZbACgmVOl m6DJjlc9dfzgwH0Kvi6ICzI= =6WiR -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated fc2 mozilla, devhelp and epiphany packages to QA: * Mon May 23 2005 Marc Deslauriers <marcdeslauriers> 37:1.7.8-1.2.1.legacy - - Rebuilt as a Fedora Legacy update to Fedora Core 2 - - Reverted to desktop-file-utils 0.4 - - Removed desktop-update-database - - Disabled pango support - - Added missing gnome-vfs2-devel, desktop-file-utils and krb5-devel BuildPrereq c0517bdd037b1262dd391af7b2ae232021bed8d2 mozilla-1.7.8-1.2.1.legacy.i386.rpm 631da60e975ba35af602c23800a05e231eddd2e0 mozilla-1.7.8-1.2.1.legacy.src.rpm 290cc266eb8ec4116500946bcdced8c7029416eb mozilla-chat-1.7.8-1.2.1.legacy.i386.rpm 2fa3110db4fccd6cdcd15bd97de073490d7fa860 mozilla-devel-1.7.8-1.2.1.legacy.i386.rpm 448ee03e15130e5000c6dd69e07aeedd72f526ca mozilla-dom-inspector-1.7.8-1.2.1.legacy.i386.rpm 23472c48251eb678a9834e54aa54695f6adc1b21 mozilla-js-debugger-1.7.8-1.2.1.legacy.i386.rpm ba31a2e7facaf6366d48f40bd63034d0035d5dab mozilla-mail-1.7.8-1.2.1.legacy.i386.rpm 263007a8857fa76a6bfc9e43613f59bc11df76df mozilla-nspr-1.7.8-1.2.1.legacy.i386.rpm 8865a7cf7843865a6b7541b455d00022dfd5c899 mozilla-nspr-devel-1.7.8-1.2.1.legacy.i386.rpm 2b400fa97e3a714dc00e5db1e7a1a9c5e3543bd5 mozilla-nss-1.7.8-1.2.1.legacy.i386.rpm 998608c2c18fc987741d822a18ff5873c0d97a80 mozilla-nss-devel-1.7.8-1.2.1.legacy.i386.rpm 9f681c2e5492a6c258c411ebdd0ba2a6e8080aee devhelp-0.9.1-0.2.7.legacy.i386.rpm 6260b9bb72b70b7e3ca968e6f224f656218eb110 devhelp-0.9.1-0.2.7.legacy.src.rpm 3d9031ed5e1b657773a060ac3619ab2f4d0ab561 devhelp-devel-0.9.1-0.2.7.legacy.i386.rpm 48ef88c932e3093af64d87ce419641831f123572 epiphany-1.2.10-0.2.4.legacy.i386.rpm ebf6bb65ddf8c6751ad825d730d185e0b59a55e1 epiphany-1.2.10-0.2.4.legacy.src.rpm Source: http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.8-1.2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.7.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.4.legacy.src.rpm Binaries: http://www.infostrategique.com/linuxrpms/legacy/2/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCk+I4LMAs/0C4zNoRAicNAKC7zOM+82MlE7XlSXH6Tzqde3KIhQCeMPBG rIGOBFj4f3R8gEqBL6e1azo= =YYCb -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity OK - patches look good - spec file changes minimal (though a bit extensive for FC2). One note: in FC2, mozilla.sh.in removes explicit enabling of pango due to "it's already supported by default"; however, in the spec, pango is not enabled (though in Fedora CVS it is). This should be OK as FC2 didn't enable pango at compile time. +PUBLISH RHL73,RHL9,FC1,FC2 f7985fa3caf34c8ea75ebcb86fcc463346924c6d mozilla-1.7.8-0.73.1.legacy.src.rpm 7bbb23c65376255265e86f02fae0fece99247d48 mozilla-1.7.8-0.90.1.legacy.src.rpm d553a473ae05fa4d60f8b85ed3244370edabadad mozilla-1.7.8-1.1.1.legacy.src.rpm 631da60e975ba35af602c23800a05e231eddd2e0 mozilla-1.7.8-1.2.1.legacy.src.rpm 6260b9bb72b70b7e3ca968e6f224f656218eb110 devhelp-0.9.1-0.2.7.legacy.src.rpm 9b81e5327cbad782b60504f1324e6b2436f5b2ab galeon-1.2.14-0.73.3.legacy.src.rpm d7756af8076b3dd957d9ff6bd9d61b3340128f11 galeon-1.2.14-0.90.3.legacy.src.rpm bf2460ac1c0e4fc1aa85985c0d1ff7e73e62160a epiphany-1.0.8-1.fc1.3.legacy.src.rpm ebf6bb65ddf8c6751ad825d730d185e0b59a55e1 epiphany-1.2.10-0.2.4.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFClBiUGHbTkzxSL7QRAu8RAJ9aVjBlS1lPxa0I6HmlyGZraIWsNQCfVp45 r7JopKIqPLvDemexhdSCkUM= =lH1W -----END PGP SIGNATURE-----
Packages were pushed to updates-testing.
(4) MODERATE: Mozilla Browsers Frame Injection Vulnerability Affected: Firefox version 1.0.4 Mozilla version 1.7.8 Description: An old vulnerability has been rediscovered in the Mozilla and Firefox browsers. This vulnerability permits a malicious website to inject a "frame" into the browser window of another website. For example, the content from http://www.malicious.com can be loaded into another window displaying the content from http://www.mybank.com. The flaw can be exploited by a malicious webpage to spoof its identity as a trusted site. This may lead to stealing sensitive user information such as passwords, or further compromise of the user system. Proof-of-concept browser test tools have been publicly posted. Status: Mozilla has not confirmed, no patches available. References: Secunia Advisory http://secunia.com/advisories/15601/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tested mozilla RPMs for RHL9 and RHL73; basic web browsing functionality only. Seemed to work OK; +VERIFY RHL9, RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCwmF3GHbTkzxSL7QRAnWxAKCqlzVE7VVJai+QqmXpqGo/y8xH2gCgpvrB S4qX4/UowguFjoYSnbdknWA= =7hGP -----END PGP SIGNATURE-----
Timeout over.
Packages were released to updates.