Bugtraqmailing list archives

By Date

By Thread

[ GLSA 200509-11 ] Mozilla Suite, Mozilla Firefox: Buffer overflow

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Gentoo Linux Security Advisory                           GLSA 200509-11- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -http://security.gentoo.org/- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  Severity: Normal     Title: Mozilla Suite, Mozilla Firefox: Buffer overflow      Date: September 18, 2005      Bugs: #105396        ID: 200509-11- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Synopsis========Mozilla Suite and Firefox are vulnerable to a buffer overflow thatmight be exploited to execute arbitrary code.Background==========The Mozilla Suite is a popular all-in-one web browser that includes amail and news reader. Mozilla Firefox is the next-generation browserfrom the Mozilla project. They both support Internationalized DomainNames (IDN), which are domain names represented by local languagecharacters.Affected packages=================    -------------------------------------------------------------------     Package                         /   Vulnerable   /     Unaffected    -------------------------------------------------------------------  1  www-client/mozilla-firefox          <= 1.0.6-r6       >= 1.0.6-r7  2  www-client/mozilla                 <= 1.7.11-r2      >= 1.7.11-r3  3  www-client/mozilla-firefox-bin      <= 1.0.6-r2       Vulnerable!  4  www-client/mozilla-bin               <= 1.7.11        Vulnerable!    -------------------------------------------------------------------     NOTE: Certain packages are still vulnerable. Users should migrate           to another package if one is available or wait for the           existing packages to be marked stable by their           architecture maintainers.    -------------------------------------------------------------------     4 affected packages on all of their supported architectures.    -------------------------------------------------------------------Description===========The Mozilla Suite and Firefox are both vulnerable to a buffer overflowwhile processing hostnames containing multiple hyphens. Note thatbrowsers that have disabled IDN support are immune to this flaw.Impact======A remote attacker could setup a malicious site and entice a victim tovisit it, triggering the buffer overflow and potentially resulting inthe execution of arbitrary code with the victim's privileges.Workaround==========You can disable the IDN support by opening the "about:config" page inthe browser and manually toggling the "network.IDN" property to"false". Alternatively, you can install a security patch by followingthe patching instructions given in References.Resolution==========All Mozilla Firefox users should upgrade to the latest version:    # emerge --sync    # emerge --ask --oneshot --verbose">=www-client/mozilla-firefox-1.0.6-r7"All Mozilla Suite users should upgrade to the latest version:    # emerge --sync    # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.11-r3"There are no fixed Mozilla Firefox or Mozilla Suite binaries yet. Usersof the mozilla-bin or mozilla-firefox-bin packages should either switchto the source-based versions or apply the workaround.References==========  [ 1 ] CAN-2005-2871http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2871  [ 2 ] Mozilla Foundation patching instructionshttps://addons.mozilla.org/messages/307259.htmlAvailability============This GLSA and any updates to it are available for viewing atthe Gentoo Security Website:http://security.gentoo.org/glsa/glsa-200509-11.xmlConcerns?=========Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity () gentoo org or alternatively, you may file a bug athttp://bugs.gentoo.org.License=======Copyright 2005 Gentoo Foundation, Inc; referenced textbelongs to its owner(s).The contents of this document are licensed under theCreative Commons - Attribution / Share Alike license.http://creativecommons.org/licenses/by-sa/2.0

Attachment:signature.asc
Description: OpenPGP digital signature

By Date

By Thread

Current thread:

• [ GLSA 200509-11 ] Mozilla Suite, Mozilla Firefox: Buffer overflowThierry Carrez (Sep 19)