Bug 160202 - Mozilla Browsers Frame Injection Vulnerability
Mozilla Browsers Frame Injection Vulnerability
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: mozilla (Show other bugs)
rhl7.3
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://secunia.com/advisories/15601/
LEGACY, 1, 2, rh73, rh9
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-13 08:24 EDT by John Dalbec
Modified: 2007-04-18 13:27 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-14 22:02:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Dalbec 2005-06-13 08:24:29 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)

Description of problem:
(4) MODERATE: Mozilla Browsers Frame Injection Vulnerability
Affected:
Firefox version 1.0.4
Mozilla version 1.7.8

Description: An old vulnerability has been rediscovered in the Mozilla
and Firefox browsers. This vulnerability permits a malicious website to
inject a "frame" into the browser window of another website. For
example, the content from http://www.malicious.com can be loaded into
another window displaying the content from http://www.mybank.com. The
flaw can be exploited by a malicious webpage to spoof its identity as a
trusted site. This may lead to stealing sensitive user information such
as passwords, or further compromise of the user system. Proof-of-concept
browser test tools have been publicly posted.

Status: Mozilla has not confirmed, no patches available.

References:
Secunia Advisory
http://secunia.com/advisories/15601/ 




Version-Release number of selected component (if applicable):


How reproducible:
Didn't try


Additional info:
Comment 1 Michal Jaegermann 2005-07-20 15:08:47 EDT
The current 
http://www.mozilla.org/projects/security/known-vulnerabilities.html
actually lists nine new vulnerabilities from MFSA 2005-45 to MFSA 2005-56
(2005-47, 2005-49 and 2005-53 are not used) with the last one, "Code execution
through shared function objects", marked as critical and three other high.
The original one from this reports is listed there as MFSA 2005-51, 
"The return of frame-injection spoofing" indeed classified as moderate.

Dropping mozilla-1.7.10 in the old spec file works fine, at least on
RH7.3, with this catch that '%dir %{mozdir}/res/builtin' is now gone.
Comment 2 John Dalbec 2005-07-21 10:46:20 EDT
(8) HIGH: Mozilla/Firefox Multiple Remote Code Execution Vulnerabilities
Affected:
Firefox prior to version 1.0.5
Mozilla prior to version 1.7.9
Thunderbird prior to version 1.0.2

Description: Mozilla/Firefox browsers and Thunderbird email client
contain multiple vulnerabilities that can be exploited to execute
arbitrary code or arbitrary scripts on the client systems. Complete
technical details and exploit code have been publicly posted.

Status: Upgrade to Firefox 1.0.5 and Mozilla 1.7.9. Thunderbird fix is
not available at this time.

Council Site Actions: Only four of the reporting council sites are
responding to this item. Two of the sites already have the latest builds
available for their users to download.  The two other sites don't
officially support Firefox and Mozilla but have notified their users and
believe the users will get the updated versions manually.

References: Mozilla Advisories
http://www.mozilla.org/security/announce/mfsa2005-46.html
http://www.mozilla.org/security/announce/mfsa2005-48.html
http://www.mozilla.org/security/announce/mfsa2005-50.html
http://www.mozilla.org/security/announce/mfsa2005-55.html
http://www.mozilla.org/security/announce/mfsa2005-56.html Exploit Code
http://www.frsirt.com/exploits/20050712.mfsa2005-49exploit.php
http://www.frsirt.com/exploits/20050712.mfsa2005-47exploit.php
http://www.frsirt.com/exploits/20050712.mfsa2005-55exploit.php
SecurityFocus BID http://www.securityfocus.com/bid/14242

05.28.18 CVE: Not Available
Platform: Cross Platform
Title: Mozilla Suite, Firefox and Thunderbird Multiple Vulnerabilities
Description: The Mozilla Foundation has released 12 security
advisories specifying security vulnerabilities in Mozilla Suite,
Firefox, and Thunderbird. Please refer to the advisory for further
details. These vulnerabilities have been addressed in Firefox version
1.0.5 and Mozilla Suite 1.7.9. Mozilla Thunderbird has not been fixed
at this time.
Ref: http://www.securityfocus.com/bid/14242/references 
Comment 3 Pekka Savola 2005-07-27 02:59:42 EDT
Well, as RHEL has already moved to 1.7.10, if someone can create the packages, I
can do the PUBLISH..
Comment 4 Marc Deslauriers 2005-07-27 08:03:02 EDT
I'll make some tonight.
Comment 5 Marc Deslauriers 2005-07-30 16:00:55 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated mozilla, galeon, devhelp and epiphany packages to QA:

7.3:
a3adef61082a23b82f86b265ccc200fc1dcbfce2  7.3/mozilla-1.7.10-0.73.1.legacy.src.rpm
e1a26a16215b17aa5c43f9460d411e518060707a  7.3/galeon-1.2.14-0.73.4.legacy.src.rpm

9:
4a211079a8efc3c73cc398ec7fce7c6a4af575fa  9/mozilla-1.7.10-0.90.1.legacy.src.rpm
f53930b34862242a19d2c20e728683ae6576f450  9/galeon-1.2.14-0.90.4.legacy.src.rpm

fc1:
a49ad80fbfc5e590d4b17ce1eeef92a6ea2af097  1/mozilla-1.7.10-1.1.1.legacy.src.rpm
8b23c3397084f7b19e99288bc99b96350e749130  1/epiphany-1.0.8-1.fc1.4.legacy.src.rpm

fc2:
d5797aaa95f73b2170ac1856abd74b5ca180a3d9  2/mozilla-1.7.10-1.2.1.legacy.src.rpm
34c9b870a56753f3a1b02251d19bc8945c6aedbc  2/devhelp-0.9.1-0.2.8.legacy.src.rpm
7eb8ac04425cc2220dd6448528b24dfc067d9a5e  2/epiphany-1.2.10-0.2.5.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/mozilla-1.7.10-0.73.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/galeon-1.2.14-0.73.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/mozilla-1.7.10-0.90.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/galeon-1.2.14-0.90.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/mozilla-1.7.10-1.1.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/epiphany-1.0.8-1.fc1.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/mozilla-1.7.10-1.2.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/devhelp-0.9.1-0.2.8.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/epiphany-1.2.10-0.2.5.legacy.src.rpm

Binaries are also available at the same location.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC69wVLMAs/0C4zNoRAiFiAJ9iMaJSuFbvhlA2fvqE2x0nxe0wOwCeKj+U
Gvak4JfiQQO0RHg/8AUeVKA=
=nER3
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2005-07-31 01:00:21 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity ok
 - spec file changes are relatively small, taken in a straightforward
   manner from RHEL updates
 - patches are OK.  The comarray patch in FC2 is from Fedora CVS.

+PUBLISH RHL73, RHL9, FC1, FC2

a3adef61082a23b82f86b265ccc200fc1dcbfce2  mozilla-1.7.10-0.73.1.legacy.src.rpm
4a211079a8efc3c73cc398ec7fce7c6a4af575fa  mozilla-1.7.10-0.90.1.legacy.src.rpm
a49ad80fbfc5e590d4b17ce1eeef92a6ea2af097  mozilla-1.7.10-1.1.1.legacy.src.rpm
d5797aaa95f73b2170ac1856abd74b5ca180a3d9  mozilla-1.7.10-1.2.1.legacy.src.rpm
8b23c3397084f7b19e99288bc99b96350e749130  epiphany-1.0.8-1.fc1.4.legacy.src.rpm
7eb8ac04425cc2220dd6448528b24dfc067d9a5e  epiphany-1.2.10-0.2.5.legacy.src.rpm
34c9b870a56753f3a1b02251d19bc8945c6aedbc  devhelp-0.9.1-0.2.8.legacy.src.rpm
e1a26a16215b17aa5c43f9460d411e518060707a  galeon-1.2.14-0.73.4.legacy.src.rpm
f53930b34862242a19d2c20e728683ae6576f450  galeon-1.2.14-0.90.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQFC7FrWGHbTkzxSL7QRAgHsAKCilNc+5p0nqyqyRhIFnFptIzlo7ACXfNlu
gIU/h8hNUL3L1hq6GtlCFQ==
=KufG
-----END PGP SIGNATURE-----
Comment 7 Gilbert Sebenste 2005-08-03 11:47:55 EDT
Mozilla Works fine for me on FC1. +PUBLISH FC1
Epiphany comes up with this error message: 

GnomeUI-WARNING **: while connecting with session manager:
Authentication Rejected, reason: None of the authentication protocols
specified are supported amd host-based authentication failed.

Gilbert
Comment 8 Marc Deslauriers 2005-08-03 17:29:35 EDT
Gilbert,

Log out, and log back in again. That should take care of epiphany.
Comment 9 Gilbert Sebenste 2005-08-06 12:55:50 EDT
(In reply to comment #8)
> Gilbert,
> Log out, and log back in again. That should take care of epiphany.

Got it! Thanks. +PUBLISH FC1 on ephiphany.
Comment 10 Marc Deslauriers 2005-08-12 17:23:30 EDT
Packages were built for updates-testing.
Comment 11 Pavel Kankovsky 2005-08-16 16:50:25 EDT
For the record:
1.7.10 broke Mailnews, 1.7.11 was released to fix it.
See http://www.mozilla.org/releases/mozilla1.7.11/changelog.html
On the other hand, broken MUA is better than 0wned browser.
Comment 12 Pekka Savola 2005-08-19 02:54:59 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
I don't personally have a problem with slightly broken mail/news, but some
others might.  I'm willing to give a publish if someone creates the
packages.  That said, I don't want to delay the publication of these
packages, so..
 
I've tested both RHL73 and RHL9 versions.  Signatures were OK, upgrade went
OK.  Web browsing seems to work OK.  Also a java applet in RHL9 worked fine.
 
+VERIFY RHL73, RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFDBYIbGHbTkzxSL7QRAqKhAKDUnMyD9ZUVGR3WNSdpkO97lKpVrACgtowm
VPWzd3kp74/b1/Wxgkiol2k=
=EUa1
-----END PGP SIGNATURE-----
Comment 13 Marc Deslauriers 2005-08-19 08:07:37 EDT
We can't release 1.7.11 mozilla packages until FC3 and FC4 upgrade or else we'll
break the upgrade path.

Let's stick to 1.7.10 for now.
Comment 14 David Eisenstein 2005-08-30 06:48:24 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 QA testing for FC1's version of Mozilla 1.7.10 (including epiphany
version 1.0.8), currently in updates-testing.

024af661649ccdd80f61cdbcd67405146ddd290e
   mozilla-1.7.10-1.1.1.legacy.i386.rpm
c714508dfbf5194b518ab8c36ef15e35b5f9f34d
   mozilla-chat-1.7.10-1.1.1.legacy.i386.rpm
9f87a7c1b15b1eacf77d785ba02a6e5272786483
   mozilla-devel-1.7.10-1.1.1.legacy.i386.rpm
40d6a447c6fa50971449a12ed04d2139e7f38c86
   mozilla-dom-inspector-1.7.10-1.1.1.legacy.i386.rpm
7d7993584caf000376d414adfea09ef03b5dcfcc
   mozilla-js-debugger-1.7.10-1.1.1.legacy.i386.rpm
ddb668ea5ef6354bcea561d396f322b812986d3c
   mozilla-mail-1.7.10-1.1.1.legacy.i386.rpm
ba21eee7662528448aeab774f9f1eedcd27bef6e
   mozilla-nspr-1.7.10-1.1.1.legacy.i386.rpm
6fc9017c5f1712648f83f74dfc289097244bf2fb
   mozilla-nspr-devel-1.7.10-1.1.1.legacy.i386.rpm
b16af5524e6b5ae6d00b978aa7ae7e382045e42a
   mozilla-nss-1.7.10-1.1.1.legacy.i386.rpm
fe6babcc981d3d8d00405bc668a163c762325556
   mozilla-nss-devel-1.7.10-1.1.1.legacy.i386.rpm
8e927ac2f8ef17d3d33a5f244944c8e23bd349a5
   epiphany-1.0.8-1.fc1.4.legacy.i386.rpm

   -  SHA1 sums all match.
   -  All packages properly signed by the Fedora Legacy pgp key.
   -  Initial install of five core packages went well.
   -  Mozilla browser works well -- from a day or so of using with a
      variety of webpages (http:, https:, pages with javascript, pages
      using Java)
   -  Subsequent install of remaining packages (except for -devel) went
      well.
   -  Epiphany works.
   -  ChatZilla IRC client works.  Works better when you don't make
      typos.
   -  Venkman, the JavaScript debugger, seems to work okay.  Was able
      to set a breakpoint and trace execution.
   -  DOM Inspector - seems to inspect Document Objects well, including
      the document object that is the browser itself!
   -  Installed -devel without incident.  Didn't use it.

I use Mozilla Mail a lot.  Mozilla Mail seems to work well (and a lot
faster than my previous Mozilla install!), EXCEPT:  When I set the "Do
not load remote images in Mail & Newsgroup Messages" in the Preferences, I
encountered the newly-introduced bug -- where when you switch folders with
a message selected in the first folder, the message list is not refreshed
with the content listing of the 2nd folder:
         (<https://bugzilla.mozilla.org/show_bug.cgi?id=300749>)

I have not been able to get Mozilla Mail to evidence the other bug:
         (<https://bugzilla.mozilla.org/show_bug.cgi?id=301917>).

Other people's mileage may vary on the Mozilla Mail bugs that are fixed
upstream.  This bug is not a major blocker, in my opinion, although I
would like to see it fixed.

I vote:  VERIFY+ FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFDFDkIxou1V/j9XZwRAtpZAJ9ngu07Wg9vHe73jng/2yX5MuLNeQCg0mXO
cr2aeKP5cNdwQh4XnekZ7ic=
=cmTG
-----END PGP SIGNATURE-----
Comment 15 David Eisenstein 2005-08-30 08:15:55 EDT
In reference to the Mozilla-mail regression bugs in 1.7.10, I have re-
trieved the patches that fix them from Mozilla's CVS and am going to work
up a new SPEC file to incorporate them.  Those patches are pretty small,
and deal with one C source file and its header file.

I was thinking about cloning this bug and posting the spec-file and
patches in the cloned bug, so we can issue packages that fix the Mozilla-
Mail bugs...

Would it be appropriate to do so?  Or should I post them here in this bug?
Or not do it at all?
Comment 16 Pekka Savola 2005-08-30 14:37:31 EDT
I don't think we should respin the packages for this.  If I read the text
correctly, this should be fixed in the next mozilla releases -- after we're done
publishing this one, we can start with new ones..
Comment 17 Pekka Savola 2005-09-04 01:07:49 EDT
Timeout over..
Comment 18 Michal Jaegermann 2005-09-10 11:00:57 EDT
A new vulnerability, deemed "critical", showed up identified as CAN-2005-2871.
See, for example, https://rhn.redhat.com/errata/RHSA-2005-769.html.
One more additional patch, named firefox-307259-branch.patch in
mozilla-1.7.10-1.1.3.2.src.rpm, is needed to close that hole.

The same patch is also used in mozilla-1.7.10-1.3.2.src.rpm from FC3 updates
and mozilla recompiles after adding it without any issues (at least on an RH7.3
installation).  Resulting binaries work or you are not reading that. :-)
Comment 19 Pekka Savola 2005-09-10 14:43:50 EDT
Hmm.. not sure if we can add it at that point (this update is pending release in
any case).

Maybe someone would need to create new packages (e.g., based on 1.7.11) which
incorporate that patch under a new PR number?
Comment 20 Marc Deslauriers 2005-09-14 22:02:09 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.