mozilla_1.7.8-1sarge4_i368 testbuild is available
Alexander Sack
asac at debian.org
Thu Apr 20 14:55:30 UTC 2006
Hi,
please test the mozilla build currently uploading to my security
archive:
http://people.debian.org/~asac/security/
version is sarge4.
The final security upload for mozilla will be named sarge5. The
detailed and documented patchset that was used to produce the combined
patch[1] will be released as soon as mozilla unlocks mfsa2006-21 and
mfsa2006-27.
Attached the changes file for your convenience.
[1] - debian/patches/002_mfsa-2006-01_29.patch
- Alexander
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac at debian.org | `. `' Operating System
http://www.asoftsite.org/ | `- http://www.debian.org/
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 20 Apr 2006 17:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.8-1sarge4
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <kitame at debian.org>
Changed-By: Alexander Sack <asac at debian.org>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
mozilla-js-debugger - JavaScript debugger for use with Mozilla
mozilla-mailnews - The Mozilla Internet application suite - mail and news support
mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Changes:
mozilla (2:1.7.8-1sarge4) stable-security; urgency=critical
.
* This release fixes multiple vulnerabilities. In addition
this release comprises a prophilactic pack as a preventive
security measure. Issues addressed in those prophilactic
patches are comprised under MFSA-n2006-01 (where n stands for
'not really'). The patchset is comprised in the
002_mfsa-2006-01_29.patch file inside the debian/patches dir.
A detailed 'per-issue' patcheset with documentation can be downloaded
from http://people.debian.org/~asac/mozilla1.7.13_patchset.tar.gz.
* MFSA-2006-01: JavaScript garbage-collection hazards
Summary: Garbage collection hazards have been found in the JavaScript
engine where some routines used temporary variables that were
not properly protected (rooted).
Closes: -
CVE-Ids: CVE-2006-0293 CVE-2006-0292
Bugzilla: 316885 322045
Issues addressed:
+ CVE-2006-0293, CVE-2006-0292 - JavaScript garbage-collection hazards
* MFSA-2006-03: Long document title causes startup denial of service
Summary: Web pages with extremely long titles--the public
demonstration had a title 2.5 million characters long--cause
subsequent launches of the browser to appear to "hang" for up
to a few minutes, or even crash if the computer has
insufficient memory.
Closes: -
CVE-Ids: CVE-2005-4134
Bugzilla: 319004
Issues addressed:
+ CVE-2005-4134 - Long document title causes startup denial of service
* MFSA-2006-05: Localstore.rdf XML injection through
XULDocument.persist()
Summary: XULDocument.persist() did not validate the attribute name,
allowing an attacker to inject XML into localstore.rdf that
would be read and acted upon at startup. This could include
JavaScript commands that would be run with the permissions of
the browser.
Closes: -
CVE-Ids: CVE-2006-0296
Bugzilla: 319847
Issues addressed:
+ CVE-2006-0296 - Localstore.rdf XML injection through XULDocument.persist()
* MFSA-2006-09: Cross-site JavaScript injection using event handlers
Summary: Shutdown reported a method of injecting running JavaScript
code into a page on another site using a modal alert to
suspend an event handler while a new page is being loaded.
This vulnerability allows an attacker to steal any
confidential information the new page might contain, including
any passwords and cookies which might allow the attacker to
log on to that site as the victim.
Closes: -
CVE-Ids: CVE-2006-1741
Bugzilla: 296514 296639 316589 311024 311619 316589 326279
Issues addressed:
+ CVE-2006-1741 - Cross-site JavaScript injection using event handlers
* MFSA-2006-10: JavaScript garbage-collection hazard audit
Summary: Igor Bukanov has audited the JavaScript engine for routines
that use temporary variables not protected against
garbage-collection. If malicious content could cause
garbage-collection to run during the lifetime of these
temporaries then the original routine would end up operating
on freed memory.
Closes: -
CVE-Ids: CVE-2006-1742
Bugzilla: 311497 311792 312278 313276 313479 313630 313726 313763
313938 325269
Issues addressed:
+ CVE-2006-1742 - JavaScript garbage-collection hazard audit
* MFSA-2006-11: Crashes with evidence of memory corruption (rv:1.8)
Summary: As part of the Firefox 1.5 release we fixed several crash
bugs to improve the stability of the product. Some of these
crashes showed evidence of memory corruption that we presume
could be exploited to run arbitrary code and have been applied
to the Firefox 1.0.x and Mozilla Suite 1.7.x releases
Closes: -
CVE-Ids: CVE-2006-1739 CVE-2006-1737 CVE-2006-1738 CVE-2006-1790
Bugzilla: 280769 265736 280769 311710 313173 315304 311710 313173
265736
Issues addressed:
+ CVE-2006-1737 - Crashes with evidence of memory corruption (rv:1.8)
+ CVE-2006-1738 - Unspecified vulnerability in Mozilla Firefox and Thunderbird
+ CVE-2006-1739 - The CSS border-rendering code in Mozilla Firefox and Thunderbird allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.
+ CVE-2006-1790 - A regression fix in Mozilla Firefox 1.0.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code
* MFSA-2006-12: Secure-site spoof (requires security warning dialog)
Summary: Tristor reports that it was possible to spoof the browser's
secure-site indicators (the lock icon, the site name in the
URL field, the gold URL field background in Firefox) by first
loading the target secure site in a pop-up window, then
changing its location to a different site.
Closes: -
CVE-Ids: CVE-2006-1740
Bugzilla: 271194
Issues addressed:
+ CVE-2006-1740 - Secure-site spoof (requires security warning dialog)
* MFSA-2006-13: Downloading executables with "Save Image As..."
Summary: By layering a transparent image link to an executable on top
of a visible (and presumably desirable) image a malicious site
might be able to convince some visitors to right-click and
choose "Save image as..." from the context menu and fool them
by giving them the executable instead. When the users later
double-click on the saved "image" to view or edit it the
attacker's malware would be run.
Closes: -
CVE-Ids: CVE-2006-1736
Bugzilla: 293527 333035 333131 333035 333305 333428 333394
Issues addressed:
+ CVE-2006-1736 - Downloading executables with "Save Image As..."
* MFSA-2006-14: Privilege escalation via XBL.method.eval
Summary: Using the eval associated with methods of an XBL binding it
was possible to create JavaScript functions that would get
compiled with the wrong privileges, allowing the attacker to
run code of their choice with the full permission of the user
running the browser. This could be used to install spyware or
viruses.
Closes: -
CVE-Ids: CVE-2006-1735
Bugzilla: 311025 311403 311455 331943
Issues addressed:
+ CVE-2006-1735 - Privilege escalation via XBL.method.eval
* MFSA-2006-15: Privilege escalation using a JavaScript function's cloned
parent
Summary: shutdown discovered it was possible to use the Object.watch()
method to access an internal function object (the "clone
parent") which could then be used to run arbitrary JavaScript
code with full permission. This could be used to install
malware such as password sniffers or viruses.
Closes: -
CVE-Ids: CVE-2006-1734
Bugzilla: 313370 313684
Issues addressed:
+ CVE-2006-1734 - Privilege escalation using a JavaScript function's cloned parent
* MFSA-2006-16: Accessing XBL compilation scope via valueOf.call()
Summary: moz_bug_r_a4 discovered that the compilation scope of
privileged built-in XBL bindings was not fully protected from
web content and could be accessed by calling valueOf.call()
and valueOf.apply() on a method of that binding. This could
then be used to compile and run attacker-supplied JavaScript,
giving it the privileges of the binding which would allow an
attacker to install malware such as viruses and password
sniffers
Closes: -
CVE-Ids: CVE-2006-1733
Bugzilla: 312871 313236 313375
Issues addressed:
+ CVE-2006-1733 - Accessing XBL compilation scope via valueOf.call()
* MFSA-2006-17: cross-site scripting through window.controllers
Summary: shutdown demonstrated how to use the window.controllers array
to bypass same-origin protections, allowing a malicious site
to inject script into content from another site. This could
allow the malicious page to steal information such as cookies
or passwords from the other site, or perform transactions on
the user's behalf if the user were already logged in.
Closes: -
CVE-Ids: CVE-2006-1732
Bugzilla: 313373 323634 326248
Issues addressed:
+ CVE-2006-1732 - cross-site scripting through window.controllers
* MFSA-2006-18: Mozilla Firefox Tag Order Vulnerability
Summary: A particular sequence of HTML tags that reliably crash
Mozilla clients was reported by an anonymous researcher via
TippingPoint and the Zero Day Initiative. The crash is due to
memory corruption that can be exploited to run arbitary code.
Mozilla mail clients will crash on the tag sequence, but
without the ability to run scripts to fill memory with the
attack code it may not be possible for an attacker to exploit
this crash.
Closes: -
CVE-Ids: CVE-2006-0749
Bugzilla: 320182 269095
Issues addressed:
+ CVE-2006-0749 - Mozilla Firefox Tag Order Vulnerability
* MFSA-2006-19: Cross-site scripting using .valueOf.call()
Summary: moz_bug_r_a4 discovered that .valueOf.call() and
.valueOf.apply() when called with no arguments were returning
the Object class prototype rather than the caller's global
window object. When called on a reachable property of another
window this provides a hook to get around the same-origin
protection, allowing an attacker to inject script into another
window.
Closes: -
CVE-Ids: CVE-2006-1731
Bugzilla: 327194 290488
Issues addressed:
+ CVE-2006-1731 - Cross-site scripting using .valueOf.call()
* MFSA-2006-20: Cross-site scripting using .valueOf.call()
Summary: As part of the Firefox 1.5.0.2 release we fixed several crash
bugs to improve the stability of the product, with a
particular focus on finding crashes caused by DHTML. Some of
these crashes showed evidence of memory corruption that we
presume could be exploited to run arbitrary code with enough
effort.
Closes: -
CVE-Ids: CVE-2006-1724 CVE-2006-1529 CVE-2006-1530 CVE-2006-1531
CVE-2006-1723
Bugzilla: 282105 320459 315254 326615 326834 327941 328509
Issues addressed:
+ CVE-2006-1724 - Unspecified vulnerability in Firefox and Thunderbird
+ CVE-2006-1529 - Unspecified vulnerability in Firefox and Thunderbird
+ CVE-2006-1530 - Unspecified vulnerability in Firefox and Thunderbird
+ CVE-2006-1531 - Unspecified vulnerability in Firefox and Thunderbird
+ CVE-2006-1723 - Unspecified vulnerability in Firefox and Thunderbird
.
Closes: -
CVE-Ids: CVE-2006-0884
Bugzilla: 319858
Issues addressed:
+ CVE-2006-0884 -
* MFSA-2006-22: CSS Letter-Spacing Heap Overflow Vulnerability
Summary: An anonymous researcher for TippingPoint and the Zero Day
Initiative discovered an integer overflow triggered by the CSS
letter-spacing property. This results in in under-allocating
memory and ultimately a heap buffer overflow which could be
exploited to run code of the attacker's choice.
Closes: -
CVE-Ids: CVE-2006-1730
Bugzilla: 325403
Issues addressed:
+ CVE-2006-1730 - CSS Letter-Spacing Heap Overflow Vulnerability
* MFSA-2006-23: File stealing by changing input type
Summary: Claus J?rgensen reports that a text input box can be
pre-filled with a filename and then turned into a file-upload
control with the contents intact, allowing a malicious website
the ability to steal any local file whose name they can guess.
Closes: -
CVE-Ids: CVE-2006-1729
Bugzilla: 325947 328566
Issues addressed:
+ CVE-2006-1729 - File stealing by changing input type
* MFSA-2006-24: Privilege escalation using crypto.generateCRMFRequest
Summary: shutdown demonstrated that the crypto.generateCRMFRequest
method can be used to run arbitrary code with the privilege of
the user, which could enable an attacker to install malware.
Closes: -
CVE-Ids: CVE-2006-1728
Bugzilla: 327126
Issues addressed:
+ CVE-2006-1728 - Privilege escalation using crypto.generateCRMFRequest
* MFSA-2006-25: Privilege escalation through Print Preview
Summary: Georgi Guninski reported two variants of using scripts in an
XBL control to gain chrome privileges when the page is viewed
under "Print Preview".
Closes: -
CVE-Ids: CVE-2006-1727
Bugzilla: 325991 328469
Issues addressed:
+ CVE-2006-1727 - Privilege escalation through Print Preview
* MFSA-2006-26: Mail Multiple Information Disclosure
Summary: As a privacy measure to prevent senders (primarily spammers)
from tracking when e-mail is read Thunderbird does not load
remote content referenced from an HTML mail message until a
user tells it to do so. This normally includes the content of
frames and CSS files, but CrashFr showed it was possible to
bypass this restriction through indirection: the direct CSS or
iframe src is included in-line, with that including remote
content.
Closes: -
CVE-Ids: CVE-2006-1045
Bugzilla: 328917
Issues addressed:
+ CVE-2006-1045 - Mail Multiple Information Disclosure
.
Closes: -
CVE-Ids: CVE-2006-0748
Bugzilla: 328937 317554
Issues addressed:
+ CVE-2006-0748 -
* MFSA-2006-28: Security check of js_ValueToFunctionObject() can be
circumvented
Summary: The security check in js_ValueToFunctionObject() can be
bypassed by clever use of setTimeout() and the new Firefox 1.5
array method ForEach. shutdown demonstrated how to leverage
this into a privilege escalation vulnerability that would
allow the installation of malware.
Closes: -
CVE-Ids: CVE-2006-1726
Bugzilla: 323501
Issues addressed:
+ CVE-2006-1726 - Security check of js_ValueToFunctionObject() can be circumvented
* MFSA-2006-29: Security check of js_ValueToFunctionObject() can be
circumvented
Summary: An interaction between XUL content windows and the new faster
history mechanism in Firefox 1.5 caused those windows to
become translucent. This could be used to construct spoofs
that could trick users into interacting with browser UI they
can't see. It's possible a clever game-type presentation could
persuade an unsuspicious user into some combination of actions
that would result in running the attacker's code.
Closes: -
CVE-Ids: CVE-2006-1725
Bugzilla: 327014
Issues addressed:
+ CVE-2006-1725 - Security check of js_ValueToFunctionObject() can be circumvented
* MFSA-n2006-01: Prophylactic Service Pack 2006/01
Summary: As part of the Firefox 1.5 release we fixed several crash
bugs to improve the stability of the product. Some of these
crashes showed evidence of memory corruption that we presume
could be exploited to run arbitrary code and have been applied
to the Firefox 1.0.x and Mozilla Suite 1.7.x releases
Closes: -
CVE-Ids: NOADVISORIES CVE-2005-2353
Bugzilla: 325297 307867 320459 324223 318618 319846 298823 309228
306658 327170 319846 328692 303752 313724 304330
Issues addressed:
+ NOADVISORY - run-mozilla.sh temporary file issue
+ NOADVISORY - Prophylactic fix to disallow JS setting window.top and such.
+ NOADVISORY - Makes capability.policy.default.*.methodName work.
+ NOADVISORY - Prophylactic fix
+ NOADVISORY - Mostly a prophylactic fix to make sure that if someone _does_ learn enough to try they fail.
+ NOADVISORY - Prophylactic crash fix.
+ NOADVISORY - Prophylactic DoS prevention.
+ NOADVISORY - Issue in builds that have customized their security policies.
+ NOADVISORY - issue for users who enable script in mailnews.
+ NOADVISORY - Issue in builds that have customized their security policies.
+ NOADVISORY - Information leak bug that allowed sites to share arbitrary data via cookies.
+ NOADVISORY - Prophylactic fix to make sure objects don't die while we're working with them.
+ NOADVISORY - Prophylactic DoS prevention.
+ NOADVISORY - Prophylactic DoS prevention
+ NOADVISORY - Forwarding in-line (not the default) a message that contained <img src=file:...> could send out local image files.
Files:
559c0109ce2dd49c6f9ba7a11e9cf9e6 1123 web optional mozilla_1.7.8-1sarge4.dsc
642515ee93ea6cfc2e7f961e176caed1 471813 web optional mozilla_1.7.8-1sarge4.diff.gz
b6318fc90fee2a5d3b8e80732105fcb1 1030 web optional mozilla_1.7.8-1sarge4_i386.deb
75fb68507cfb39f03b9fb2e6dc4355e0 10332412 web optional mozilla-browser_1.7.8-1sarge4_i386.deb
0a75e24a8a759a07e30b9acc219642ba 3592732 devel optional mozilla-dev_1.7.8-1sarge4_i386.deb
f9912507a60506d1c27c05be5519589b 1816076 mail optional mozilla-mailnews_1.7.8-1sarge4_i386.deb
e900fba8dd66652b7e6e930fe8fd6c34 158348 net optional mozilla-chatzilla_1.7.8-1sarge4_i386.deb
19fca19cf2b778cd65762ee74dd8605e 192632 web optional mozilla-psm_1.7.8-1sarge4_i386.deb
796b4e4be6855fbcc7cf0d97b3112880 116680 web optional mozilla-dom-inspector_1.7.8-1sarge4_i386.deb
99acae324031b4024ada722329eef19f 204160 devel optional mozilla-js-debugger_1.7.8-1sarge4_i386.deb
ec85762bdac6d9c5d16e2ec3fa9f55ee 403514 misc optional mozilla-calendar_1.7.8-1sarge4_i386.deb
9a8c8ee109ea47445f634f8a47e4c729 136266 libs optional libnspr4_1.7.8-1sarge4_i386.deb
4ea39f2f253ff7334053a15a66cc5707 170342 libdevel optional libnspr-dev_1.7.8-1sarge4_i386.deb
1c5d6949cf47ee90cf6f3db9a304d0b5 661020 libs optional libnss3_1.7.8-1sarge4_i386.deb
d481375ce9c808c1af4f88301a20d233 187114 libdevel optional libnss-dev_1.7.8-1sarge4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFER53uv8pLOKgkuT8RAsIeAJ98jhnxkvV05+ebydJiCcaV1pyScgCgs7dB
9tFaWjfXRq3W/JFN7eaGHEk=
=rdXk
-----END PGP SIGNATURE-----
More information about the pkg-mozilla-maintainers
mailing list