Passing the firefox command a URL containing a pipe "|" symbol will cause firefox to open multiple tabs. If firefox is already running this flaw will try to open the URL as a single URL, not as multiple tabs. This flaw can lead to an arbitrarily named file gaining privileged access to the browser session. See the upstream bug for more details.
This issue does not affect SeaMonkey, it is only a Firefox issue.
Public now via MFSA 2008-35 http://www.mozilla.org/security/announce/2008/mfsa2008-35.html Fixed in: Firefox 3.0.1 Firefox 2.0.0.16
xulrunner-1.9.0.1-1.fc9, epiphany-extensions-2.22.1-3.fc9, firefox-3.0.1-1.fc9, epiphany-2.22.2-3.fc9, yelp-2.22.1-4.fc9, devhelp-0.19.1-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
chmsee-1.0.0-3.31.fc8, gnome-web-photo-0.3-12.fc8, openvrml-0.17.6-6.fc8, gnome-python2-extras-2.19.1-16.fc8, gtkmozembedmm-1.4.2.cvs20060817-22.fc8, epiphany-2.20.3-6.fc8, firefox-2.0.0.16-1.fc8, galeon-2.0.4-4.fc8.3, Miro-1.2.3-3.fc8, yelp-2.20.0-11.fc8, cairo-dock-1.6.1.1-1.fc8.1, epiphany-extensions-2.20.1-9.fc8, kazehakase-0.5.4-2.fc8.3, blam-1.8.3-17.fc8, devhelp-0.16.1-9.fc8, liferea-1.4.15-3.fc8, ruby-gnome2-0.17.0-0.3.rc1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0598.html http://rhn.redhat.com/errata/RHSA-2008-0597.html Fedora: https://admin.fedoraproject.org/updates/F8/FEDORA-2008-6491 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-6518
As of Jul 22, this does not install on F9 as it requires a superseded version of xulrunner: Resolving Dependencies --> Running transaction check ---> Package firefox.x86_64 0:3.0.1-1.fc9 set to be updated --> Processing Dependency: gecko-libs = 1.9 for package: gnome-python2-gtkmozembed Matched xulrunner-1.9-0.60.beta5.fc9.x86_64 to require for gecko-libs ---> Package devhelp.x86_64 0:0.19.1-3.fc9 set to be updated ---> Package xulrunner.x86_64 0:1.9.0.1-1.fc9 set to be updated ---> Package yelp.x86_64 0:2.22.1-4.fc9 set to be updated ---> Package xulrunner-devel.x86_64 0:1.9.0.1-1.fc9 set to be updated --> Finished Dependency Resolution gnome-python2-gtkmozembed-2.19.1-16.fc9.x86_64 from installed has depsolving problems --> Missing Dependency: gecko-libs = 1.9 is needed by package gnome-python2-gtkmozembed-2.19.1-16.fc9.x86_64 (installed) Skip-broken round 1 --> Running transaction check ---> Package xulrunner.x86_64 0:1.9.0.1-1.fc9 set to be updated --> Processing Dependency: xulrunner = 1.9.0.1-1.fc9 for package: xulrunner-devel --> Processing Dependency: gecko-libs = 1.9.0.1 for package: devhelp --> Processing Dependency: gecko-libs = 1.9.0.1 for package: yelp --> Processing Dependency: gecko-libs = 1.9.0.1 for package: firefox --> Finished Dependency Resolution firefox-3.0.1-1.fc9.x86_64 from updates has depsolving problems --> Missing Dependency: gecko-libs = 1.9.0.1 is needed by package firefox-3.0.1-1.fc9.x86_64 (updates) yelp-2.22.1-4.fc9.x86_64 from updates has depsolving problems --> Missing Dependency: gecko-libs = 1.9.0.1 is needed by package yelp-2.22.1-4.fc9.x86_64 (updates) xulrunner-devel-1.9.0.1-1.fc9.x86_64 from updates has depsolving problems --> Missing Dependency: xulrunner = 1.9.0.1-1.fc9 is needed by package xulrunner-devel-1.9.0.1-1.fc9.x86_64 (updates) devhelp-0.19.1-3.fc9.x86_64 from updates has depsolving problems --> Missing Dependency: gecko-libs = 1.9.0.1 is needed by package devhelp-0.19.1-3.fc9.x86_64 (updates) Skip-broken round 2 Skip-broken took 2 rounds Packages skipped because of dependency problems: devhelp-0.19.1-3.fc9.x86_64 from updates firefox-3.0.1-1.fc9.x86_64 from updates xulrunner-1.9.0.1-1.fc9.x86_64 from updates xulrunner-devel-1.9.0.1-1.fc9.x86_64 from updates yelp-2.22.1-4.fc9.x86_64 from updates Depsolve time: 5.343 [root@potoroo ~]#
John, please file a bug report against gnome-python2-gtkmozembed, which needs to be rebuilt against new xulrunner package providing gecko-libs 1.9.0.1.
(In reply to comment #14) > John, please file a bug report against gnome-python2-gtkmozembed, which needs > to be rebuilt against new xulrunner package providing gecko-libs 1.9.0.1. Rebuilds were already submitted as updated to Bodhi: https://admin.fedoraproject.org/updates/F9/pending/Miro-1.2.4-2.fc9,gnome-python2-extras-2.19.1-17.fc9 Or use these instructions to get new packages while they are not pushed to stable: http://axelilly.wordpress.com/2008/07/21/help-test-recent-xulrunner-updates/