Bug 158149 - mozilla - privilege escalation and javascript problems - MFSA 2005-42, MFSA 2005-43, MFSA 2005-44
mozilla - privilege escalation and javascript problems - MFSA 2005-42, MFSA...
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mozilla (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Marc Deslauriers
LEGACY, rh73, rh90, 1, 2
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-19 01:41 EDT by Michal Jaegermann
Modified: 2007-04-18 13:25 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 22:07:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sample modifications of a spec file to recompile galeon with mozilla-1.7.8 (802 bytes, patch)
2005-05-19 01:44 EDT, Michal Jaegermann
no flags Details | Diff

  None (edit)
Description Michal Jaegermann 2005-05-19 01:41:06 EDT
Description of problem:
A release 1.7.8 of mozilla fixes three (published and well known
by now) security problems.

MFSA 2005-44  Privilege escalation via non-DOM property overrides
MFSA 2005-43  "Wrapped" javascript: urls bypass security checks
MFSA 2005-42  Code execution via javascript: IconURL

Two of these are marked at
http://www.mozilla.org/projects/security/known-vulnerabilities.html
as critical and the third high (all three are "critical" for firefox).

ftp://ftp.harddata.com/pub/Legacy_srpms/mozilla-1.7.8-0.73.0.legacy.src.rpm

is a source rpm for RHL7.3.  A spec file for this is is really a "merge"
of a spec from mozilla-1.7.8-1.3.1.src.rpm (FC3 updates) and a spec from
mozilla-1.7.7-0.73.2.legacy.src.rpm.  Something similar can be done for
other Legacy releses.

Galeon, and other browsers using mozilla engine, has to be recompiled as well
but this is straightforward.  Sample spec modifications for RHL7.3 are
attached.

Version-Release number of selected component (if applicable):
mozilla-1.7.7 releases.
Comment 1 Michal Jaegermann 2005-05-19 01:44:10 EDT
Created attachment 114551 [details]
sample modifications of a spec file to recompile galeon with mozilla-1.7.8

Galeon recompiled with such spec, and obviously mozilla-1.7.8 engine, is used
to create this report and attachment.
Comment 2 Michal Jaegermann 2005-05-19 02:00:46 EDT
Note. In mozilla-1.7.8-1.3.1.src.rpm a check for JVM version was simply removed
in /usr/bin/mozilla (which is a shell script created from mozilla.sh.in in
sources).  This check indeed does not make sense in more recent distributions
as such old versions of JVM which can trigger some action from this check simply
cannot be used there and check itself is not really correctly coded.

Maybe with RHL7.3 such old version of JVM could be possibly used, although it
really should not be regardless, so this check may have its place and even as it
is written is not causing troubles.  Something to think about. In a sample
mozilla-1.7.7-0.73.2.legacy.src.rpm a skeleton script 'mozilla.sh.in' is
inherited from mozilla-1.7.8-1.3.1.src.rpm and not from 1.7.7 sources.
Comment 3 Marc Deslauriers 2005-05-23 16:23:45 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated rh7.3 mozilla and galeon packages to QA:

* Mon May 23 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
37:1.7.8-0.73.1.legacy
- - Rebuild as a Fedora Legacy update for Red Hat Linux 7.3
- - Added missing freetype-devel BuildRequires
- - Fix missing icons in desktop files

a5f7caabcb811d3ed9c0bef0368a31d7ba81df1c  galeon-1.2.14-0.73.3.legacy.i386.rpm
9b81e5327cbad782b60504f1324e6b2436f5b2ab  galeon-1.2.14-0.73.3.legacy.src.rpm
7f1bc65d10a46148711d79a63913c87639fb88fc  mozilla-1.7.8-0.73.1.legacy.i386.rpm
f7985fa3caf34c8ea75ebcb86fcc463346924c6d  mozilla-1.7.8-0.73.1.legacy.src.rpm
88e28cbea39cc2ce902d29690dcf92dc04ef19fb  mozilla-chat-1.7.8-0.73.1.legacy.i386.rpm
6ff42bded9eade65f546467b83dbf5efeb883eba  mozilla-devel-1.7.8-0.73.1.legacy.i386.rpm
0e3a3e83205d6232b58c5459785445cf7b7a3b53 
mozilla-dom-inspector-1.7.8-0.73.1.legacy.i386.rpm
a96e24b9a8f9c6dbeb2df82f60e721f7634bb2ea 
mozilla-js-debugger-1.7.8-0.73.1.legacy.i386.rpm
49210647e7029a23bb596fb956feaa33907c3503  mozilla-mail-1.7.8-0.73.1.legacy.i386.rpm
0fb7692c5aed35434d76a6b69aeaaf1e05795aeb  mozilla-nspr-1.7.8-0.73.1.legacy.i386.rpm
82961d7b19dd28e3e3184b9de070667ece5d5545 
mozilla-nspr-devel-1.7.8-0.73.1.legacy.i386.rpm
021c4c74c7e500799a82d8da9edbc1463247392a  mozilla-nss-1.7.8-0.73.1.legacy.i386.rpm
c849a0102d89c613adbcd86bdb514ea9f38e07c5 
mozilla-nss-devel-1.7.8-0.73.1.legacy.i386.rpm

Source:
http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.3.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.8-0.73.1.legacy.src.rpm

Binaries:
http://www.infostrategique.com/linuxrpms/legacy/7.3/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCkjtMLMAs/0C4zNoRArQmAJ9uSM5vPCDOB4RccZDaHqpvQeF0GwCeL09H
Uco5ymXkIZ1BKha+S7VWQx4=
=T/re
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2005-05-23 21:49:23 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated rh9 mozilla and galeon packages to QA:

* Mon May 23 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
37:1.7.8-0.90.1.legacy
- - Rebuilt as a Fedora Legacy update for Red Hat Linux 9
- - Disabled desktop-file-utils
- - Disabled gtk2
- - Added missing BuildRequires
- - Force build with gcc296 to remain compatible with plugins
- - Added xft font preferences and patch back in
- - Removed mozilla-compose.desktop

74b84ca814872219997238ab1064a4c260a9241f  mozilla-1.7.8-0.90.1.legacy.i386.rpm
05e70fb0e6f31d707d38f46b3bdfca32aa531a7e  mozilla-1.7.8-0.90.1.legacy.src.rpm
d19011b0c6f8695ba54e8c4103cea802d51fef5d  mozilla-chat-1.7.8-0.90.1.legacy.i386.rpm
78fd939f19a2c1959f8c51eb38ca8d96d05c2c7a  mozilla-devel-1.7.8-0.90.1.legacy.i386.rpm
e19796d368bbbe83aa2fe5633d1320e65d4dafb9 
mozilla-dom-inspector-1.7.8-0.90.1.legacy.i386.rpm
5d6f5fe645e6bb88eed8245a0f26140df8563626 
mozilla-js-debugger-1.7.8-0.90.1.legacy.i386.rpm
11d3531c4dc1eb8aeaac3d958e3b87ff99eaa9b4  mozilla-mail-1.7.8-0.90.1.legacy.i386.rpm
8579c9a4541fc7c873d1ca250e7ab7d407b299a7  mozilla-nspr-1.7.8-0.90.1.legacy.i386.rpm
48b07f732bfc2392f24a775a4638649c9ba065c1 
mozilla-nspr-devel-1.7.8-0.90.1.legacy.i386.rpm
b785cdf37bb7d7c162c80ccb4c4fa5ba48b2f640  mozilla-nss-1.7.8-0.90.1.legacy.i386.rpm
6710b1e347d8c5c799eac40e01512a5cccb6be9e 
mozilla-nss-devel-1.7.8-0.90.1.legacy.i386.rpm
104cef5bf4b755e40fede1c7c884129980172a9c  galeon-1.2.14-0.90.3.legacy.i386.rpm
d7756af8076b3dd957d9ff6bd9d61b3340128f11  galeon-1.2.14-0.90.3.legacy.src.rpm


Source:
http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.8-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.3.legacy.src.rpm

Binaries:
http://www.infostrategique.com/linuxrpms/legacy/9/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCkogqLMAs/0C4zNoRAldeAKCUuZkbJcc+lTzGjP6jTx8sWqYW4ACgsEIK
M/wXUJY9qA0yVQ2VHf/C5Ag=
=dg9d
-----END PGP SIGNATURE-----
Comment 5 Marc Deslauriers 2005-05-24 22:17:09 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated fc1 mozilla and epiphany packages to QA:

* Mon May 23 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
37:1.7.8-1.1.1.legacy
- - Rebuilt as Fedora Legacy update for Fedora Core 1
- - Changed useragent vendor tag to Fedora
- - Removed Network category from mozilla.desktop
- - Added missing gnome-vfs2-devel and desktop-file-utils to BuildRequires

b65d512536e34b6d509dac6538fad35ca5e8c00a  mozilla-1.7.8-1.1.1.legacy.i386.rpm
d553a473ae05fa4d60f8b85ed3244370edabadad  mozilla-1.7.8-1.1.1.legacy.src.rpm
128f8d1bb20b3147fd9661d6870f16d2950f1138  mozilla-chat-1.7.8-1.1.1.legacy.i386.rpm
16d1e39862418b6e31a813e03c4641b606890aa8  mozilla-devel-1.7.8-1.1.1.legacy.i386.rpm
76dcd1d7752d320e125f1b3ca99b16d3c1b86140 
mozilla-dom-inspector-1.7.8-1.1.1.legacy.i386.rpm
d53696136f131c5ee783e5c4c304dc5b34a76030 
mozilla-js-debugger-1.7.8-1.1.1.legacy.i386.rpm
cc5fa86b1f2796ef98115db8eded557fea0f5ba6  mozilla-mail-1.7.8-1.1.1.legacy.i386.rpm
d46a9f47d8327d675f9f0d8cdfdddc83bc17d06a  mozilla-nspr-1.7.8-1.1.1.legacy.i386.rpm
3f1c1c92ac1d1327b2baa6d26a688f0fc2af6b14 
mozilla-nspr-devel-1.7.8-1.1.1.legacy.i386.rpm
8b7df9ee281eed291408aaaaf9c33f6876a01c85  mozilla-nss-1.7.8-1.1.1.legacy.i386.rpm
7da1e2485c378a4bfec12e34a57c2ae335e1e56e 
mozilla-nss-devel-1.7.8-1.1.1.legacy.i386.rpm
6e457a70ff75c5abce466442777d178bbbd61997  epiphany-1.0.8-1.fc1.3.legacy.i386.rpm
bf2460ac1c0e4fc1aa85985c0d1ff7e73e62160a  epiphany-1.0.8-1.fc1.3.legacy.src.rpm


Source:
http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.8-1.1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.3.legacy.src.rpm

Binaries:
http://www.infostrategique.com/linuxrpms/legacy/1/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCk9/pLMAs/0C4zNoRAg42AJ0X0q8Dmqd+q+rR1SJ0P7V3KqgZbACgmVOl
m6DJjlc9dfzgwH0Kvi6ICzI=
=6WiR
-----END PGP SIGNATURE-----
Comment 6 Marc Deslauriers 2005-05-24 22:26:05 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated fc2 mozilla, devhelp and epiphany packages to QA:

* Mon May 23 2005 Marc Deslauriers <marcdeslauriers@videotron.ca>
37:1.7.8-1.2.1.legacy
- - Rebuilt as a Fedora Legacy update to Fedora Core 2
- - Reverted to desktop-file-utils 0.4
- - Removed desktop-update-database
- - Disabled pango support
- - Added missing gnome-vfs2-devel, desktop-file-utils and krb5-devel BuildPrereq

c0517bdd037b1262dd391af7b2ae232021bed8d2  mozilla-1.7.8-1.2.1.legacy.i386.rpm
631da60e975ba35af602c23800a05e231eddd2e0  mozilla-1.7.8-1.2.1.legacy.src.rpm
290cc266eb8ec4116500946bcdced8c7029416eb  mozilla-chat-1.7.8-1.2.1.legacy.i386.rpm
2fa3110db4fccd6cdcd15bd97de073490d7fa860  mozilla-devel-1.7.8-1.2.1.legacy.i386.rpm
448ee03e15130e5000c6dd69e07aeedd72f526ca 
mozilla-dom-inspector-1.7.8-1.2.1.legacy.i386.rpm
23472c48251eb678a9834e54aa54695f6adc1b21 
mozilla-js-debugger-1.7.8-1.2.1.legacy.i386.rpm
ba31a2e7facaf6366d48f40bd63034d0035d5dab  mozilla-mail-1.7.8-1.2.1.legacy.i386.rpm
263007a8857fa76a6bfc9e43613f59bc11df76df  mozilla-nspr-1.7.8-1.2.1.legacy.i386.rpm
8865a7cf7843865a6b7541b455d00022dfd5c899 
mozilla-nspr-devel-1.7.8-1.2.1.legacy.i386.rpm
2b400fa97e3a714dc00e5db1e7a1a9c5e3543bd5  mozilla-nss-1.7.8-1.2.1.legacy.i386.rpm
998608c2c18fc987741d822a18ff5873c0d97a80 
mozilla-nss-devel-1.7.8-1.2.1.legacy.i386.rpm
9f681c2e5492a6c258c411ebdd0ba2a6e8080aee  devhelp-0.9.1-0.2.7.legacy.i386.rpm
6260b9bb72b70b7e3ca968e6f224f656218eb110  devhelp-0.9.1-0.2.7.legacy.src.rpm
3d9031ed5e1b657773a060ac3619ab2f4d0ab561  devhelp-devel-0.9.1-0.2.7.legacy.i386.rpm
48ef88c932e3093af64d87ce419641831f123572  epiphany-1.2.10-0.2.4.legacy.i386.rpm
ebf6bb65ddf8c6751ad825d730d185e0b59a55e1  epiphany-1.2.10-0.2.4.legacy.src.rpm


Source:
http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.8-1.2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.7.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.4.legacy.src.rpm

Binaries:
http://www.infostrategique.com/linuxrpms/legacy/2/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCk+I4LMAs/0C4zNoRAicNAKC7zOM+82MlE7XlSXH6Tzqde3KIhQCeMPBG
rIGOBFj4f3R8gEqBL6e1azo=
=YYCb
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2005-05-25 02:19:47 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
          
QA w/ rpm-build-compare.sh:
 - source integrity OK
 - patches look good
 - spec file changes minimal (though a bit extensive for FC2).
                                                                               
          
One note: in FC2, mozilla.sh.in removes explicit enabling of pango due to "it's
already supported by default"; however, in the spec, pango is not enabled
(though in Fedora CVS it is).  This should be OK as FC2 didn't enable pango
at compile time.
                                                                               
          
+PUBLISH RHL73,RHL9,FC1,FC2
                                                                               
          
f7985fa3caf34c8ea75ebcb86fcc463346924c6d  mozilla-1.7.8-0.73.1.legacy.src.rpm
7bbb23c65376255265e86f02fae0fece99247d48  mozilla-1.7.8-0.90.1.legacy.src.rpm
d553a473ae05fa4d60f8b85ed3244370edabadad  mozilla-1.7.8-1.1.1.legacy.src.rpm
631da60e975ba35af602c23800a05e231eddd2e0  mozilla-1.7.8-1.2.1.legacy.src.rpm
6260b9bb72b70b7e3ca968e6f224f656218eb110  devhelp-0.9.1-0.2.7.legacy.src.rpm
9b81e5327cbad782b60504f1324e6b2436f5b2ab  galeon-1.2.14-0.73.3.legacy.src.rpm
d7756af8076b3dd957d9ff6bd9d61b3340128f11  galeon-1.2.14-0.90.3.legacy.src.rpm
bf2460ac1c0e4fc1aa85985c0d1ff7e73e62160a  epiphany-1.0.8-1.fc1.3.legacy.src.rpm
ebf6bb65ddf8c6751ad825d730d185e0b59a55e1  epiphany-1.2.10-0.2.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFClBiUGHbTkzxSL7QRAu8RAJ9aVjBlS1lPxa0I6HmlyGZraIWsNQCfVp45
r7JopKIqPLvDemexhdSCkUM=
=lH1W
-----END PGP SIGNATURE-----
Comment 8 Marc Deslauriers 2005-06-04 15:44:48 EDT
Packages were pushed to updates-testing.
Comment 9 John Dalbec 2005-06-10 10:22:23 EDT
(4) MODERATE: Mozilla Browsers Frame Injection Vulnerability
Affected:
Firefox version 1.0.4
Mozilla version 1.7.8

Description: An old vulnerability has been rediscovered in the Mozilla
and Firefox browsers. This vulnerability permits a malicious website to
inject a "frame" into the browser window of another website. For
example, the content from http://www.malicious.com can be loaded into
another window displaying the content from http://www.mybank.com. The
flaw can be exploited by a malicious webpage to spoof its identity as a
trusted site. This may lead to stealing sensitive user information such
as passwords, or further compromise of the user system. Proof-of-concept
browser test tools have been publicly posted.

Status: Mozilla has not confirmed, no patches available.

References:
Secunia Advisory
http://secunia.com/advisories/15601/ 

Comment 10 Pekka Savola 2005-06-29 04:54:09 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Tested mozilla RPMs for RHL9 and RHL73; basic web browsing functionality
only.  Seemed to work OK; +VERIFY RHL9, RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCwmF3GHbTkzxSL7QRAnWxAKCqlzVE7VVJai+QqmXpqGo/y8xH2gCgpvrB
S4qX4/UowguFjoYSnbdknWA=
=7hGP
-----END PGP SIGNATURE-----
Comment 11 Pekka Savola 2005-07-14 03:08:51 EDT
Timeout over.
Comment 12 Marc Deslauriers 2005-07-15 22:07:41 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.