ffox 1.5.0.2/1.0.8 CVE-Ids, MFSAs and Bugzilla bugs
Alexander Sack
asac at debian.org
Fri Apr 14 09:41:06 UTC 2006
Hi,
here a list of CVE-IDs, MFSAs and bugs for todays firefox release ...
so you can properly document your upload in unstable.
Debian bugs are not listed. Please sort them into this list and
communicate your findings. Thanks!
Distinct patches for sarge are on its way. Please be a bit patient,
since this is a huge release.
Below the advisories fixed in 1.5.0.2. For 1.0.8 there are some
more items that were fixed in 1.5.0.1. I will sort them out during
final patch preparation.
If you find some problems or inconsistencies in belows advisories don't
hesitate to raise your hands.
Happy Easter :)!
First a short list:
CVE-2006-1741 mfsa2006-09, 296514, 316589, 311024, 311619, 311892 -- browsers only
CVE-2006-1742 mfsa2006-10, 311497, 311792, 312278, 313276, 313479, 313630, 313726, 313763, 313938, 325269 - all
CVE-2006-1737 mfsa2006-11 280769, 265736, 280769, 311710, 313173, 315304, -- all
CVE-2006-1738 mfsa2006-11 311710, 313173
CVE-2006-1739 mfsa2006-11 265736
CVE-2006-1740 mfsa2006-12, 271194 - browsers only
CVE-2006-1736 mfsa2006-13, 293527 - browsers only
CVE-2006-1735 mfsa2006-14, 311025, 311403, 311455 - all
CVE-2006-1734 mfsa2006-15, 313370, 313684 - all
CVE-2006-1733 mfsa2006-16, 312871, 313236, 313375 - all
CVE-2006-1732 mfsa2006-17, 313373, - all
CVE-2006-0749 mfsa2006-18, 320182, 269095 - all
CVE-2006-1731 mfsa2006-19, 327194, 290488 - all
CVE-2006-1724 mfsa2006-20, 282105 - all
The following bugs were published with in mfsa2006-20, but don't have a
CVE-ID: 320459, 307989, 308086, 309120, 310436, 310638, 315254, 317544, 317546, 317549, 326615,
326644, 326834, 327941, 328509, 328839, 329406 - all (1.5/1.8 only)
CVE-2006-0884 mfsa2006-21, 319858 - all
CVE-2006-1730 mfsa2006-22, 325403, 319858 - all
CVE-2006-1729 mfsa2006-23, 325947, 328566 - browsers only
CVE-2006-1728 mfsa2006-24, 327126, - all
CVE-2006-1727 mfsa2006-25, 325991, 328469 - all
CVE-2006-1045 mfsa2006-26, 328917 - thunderbird only
CVE-2006-0748 mfsa2006-27, 328937, 317554 - all
CVE-2006-1726 mfsa2006-28, 323501 - all (1.5/1.8 only)
CVE-2006-1725 mfsa2006-29, 327014 - browsers only
CVE-2005-2353 nomfsa, 304330
Now the detailed advisories:
======================
CVE-2006-1741 mfsa2006-09, 296514, 316589, 311024, 311619, 311892
Affected: browsers only
Advisory:
Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite
before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to
inject arbitrary Javascript into other sites by (1) "using a modal
alert to suspend an event handler while a new page is being loaded",
(2) using eval(), and using certain variants involving (3) "new
Script;" and (4) using window.__proto__ to extend eval, aka
"cross-site JavaScript injection".
======================
CVE-2006-1742 mfsa2006-10, 311497, 311792, 312278, 313276, 313479,
313630, 313726, 313763, 313938, 325269
Affected: all
The JavaScript engine in Mozilla Firefox and Thunderbird 1.x before
1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey
before 1.0 does not properly handle temporary variables that are not
garbage collected, which might allow remote attackers to trigger
operations on freed memory and cause memory corruption.
======================
CVE-2006-1737 mfsa2006-11 bug 280769, 265736, 280769, 311710, 313173, 315304
CVE-2006-1738 mfsa2006-11 bug 311710, 313173
CVE-2006-1739 mfsa2006-11 bug 265736
Affected: all
Advisory:
As part of the Firefox 1.5 release we fixed several crash bugs to
improve the stability of the product. Some of these crashes showed
evidence of memory corruption that we presume could be exploited to
run arbitrary code and have been applied to the Firefox 1.0.x and
Mozilla Suite 1.7.x releases
While fixing an unexploitable recursion-induced crash Bernd Mielke
discovered that the CSS border-rendering code could potentially write
past the end of an array.
Alden D'Souza reported a crash when using an extremely large regular
expression in JavaScript. This was tracked down to a 16-bit integer
overflow that could potentially cause the browser to interpret
attacker supplied data as JavaScript bytecode.
Martijn Wargers found two potentially exploitable crashes when
programmatically changing the -moz-grid and -moz-grid-group display
styles.
Bob Clary found a memory corruption crash using the
InstallTrigger.install() method that was introduced in Firefox 1.0.7
by one of the regression fixes described in MFSA 2005-58.
Note: Thunderbird shares the browser engine with Firefox and could be
vulnerable if JavaScript were to be enabled in mail. This is not the
default setting and we strongly discourage users from running
JavaScript in mail.
===============
CVE-2006-1740 mfsa2006-12, 271194
Affected: browsers only
Advisory:
Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite
before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to
spoof secure site indicators such as the locked icon by opening the
trusted site in a popup window, then changing the location to a
malicious site.
================
CVE-2006-1736 mfsa2006-13, 293527
Affected: browsers only
Advisory:
Mozilla Firefox 1.x before 1.5 and 1.0.x before 1.0.8, Mozilla Suite
before 1.7.13, and SeaMonkey before 1.0 allows remote attackers to
trick users into downloading and saving an executable file via an
image that is overlaid by a transparent image link that points to the
executable, which causes the executable to be saved when the user
clicks the "Save image as..." option. NOTE: this attack is made easier
due to a GUI truncation issue that prevents the user from seeing the
malicious extension when there is extra whitespace in the filename.
=================
CVE-2006-1735 mfsa2006-14, 311025, 311403, 311455
Affected: all
Advisory:
Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8,
Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote
attackers to execute arbitrary code by using an eval in an XBL method
binding (XBL.method.eval) to create Javascript functions that are
compiled with extra privileges.
=================
CVE-2006-1734 mfsa2006-15, 313370, 313684
Affected: all
Advisory:
Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8,
Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote
attackers to execute arbitrary code by using the Object.watch method
to access the "clone parent" internal function.
==================
CVE-2006-1733 mfsa2006-16, 312871, 313236, 313375
Affected: all
Advisory:
Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8,
Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 does not
properly protect the compilation scope of privileged built-in XBL
bindings, which allows remote attackers to execute arbitrary code via
the (1) valueOf.call or (2) valueOf.apply methods of an XBL binding,
or (3) "by inserting an XBL method into the DOM's document.body
prototype chain."
==================
CVE-2006-1732 mfsa2006-17, 313373
Affected: all
Advisory:
Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x
before 1.5 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and
SeaMonkey before 1.0 allows remote attackers to bypass same-origin
protections and conduct cross-site scripting (XSS) attacks via
unspecified vectors involving the window.controllers array.
===================
CVE-2006-0749 mfsa2006-18, 320182, 269095
Affected: all
Advisory:
Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8,
Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 allows remote
attackers to cause a denial of service (crash) and possibly execute
arbitrary code via unknown vectors involving a "particular sequence of
HTML tags" that leads to memory corruption.
===================
CVE-2006-1731 mfsa2006-19, 327194, 290488
Affected: all
Advisory:
Mozilla Firefox and Thunderbird 1.x before 1.5 and 1.0.x before 1.0.8,
Mozilla Suite before 1.7.13, and SeaMonkey before 1.0 returns the
Object class prototype instead of the global window object when (1)
.valueOf.call or (2) .valueOf.apply are called without any arguments,
which allows remote attackers to conduct cross-site scripting (XSS)
attacks.
====================
CVE-2006-1724 mfsa2006-20, 282105
Affected: all
Note: Other bugs (initially) listed in mfsa2006-20 but *not* related
320459, 307989, 308086, 309120, 310436, 310638, 315254,
317544, 317546, 317549, 326615, 326644, 326834, 327941,
328509, 328839, 329406
AND 317554 maybe belongs to MFSA2006-27.
Advisory for CVE:
Unspecified vulnerability in Firefox and Thunderbird before 1.5.0.2,
1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey before
1.0.1 allows remote attackers to cause a denial of service (crash) and
possibly execute arbitrary code via attack vectors related to DHTML.
=====================
mfsa2006-21 ... is on hold until thunderbird release next week
=====================
CVE-2006-1730 mfsa2006-22, 325403, 319858
Affected: all
Advisory:
Integer overflow in Mozilla Firefox and Thunderbird 1.x before 1.5.0.2
and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13, and SeaMonkey
before 1.0.1 allows remote attackers to execute arbitrary code via
certain manipulations of the CSS letter-spacing property that lead to
a heap-based buffer overflow.
=====================
CVE-2006-1729 mfsa2006-23, 325947, 328566
Affected: browsers only
Advisory:
Mozilla Firefox 1.x before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla
Suite before 1.7.13, and SeaMonkey before 1.0.1 allows remote
attackers to read arbitrary files by (1) inserting the target filename
into a text box, then turning that box into a file upload control, or
(2) changing the type of y that is associated with an event handler.
=====================
CVE-2006-1728 mfsa2006-24, 327126
Affected: all
Advisory:
Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x
before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13,
and SeaMonkey before 1.0.1 allows remote attackers to execute
arbitrary code via unknown vectors related to the
crypto.generateCRMFRequest method.
=====================
CVE-2006-1727 mfsa2006-25, 325991, 328469
Affected: all
Advisory:
Unspecified vulnerability in Mozilla Firefox and Thunderbird 1.x
before 1.5.0.2 and 1.0.x before 1.0.8, Mozilla Suite before 1.7.13,
and SeaMonkey before 1.0.1 allows remote attackers to gain chrome
privileges via multiple attack vectors related to the use of XBL
scripts with "Print Preview".
=====================
CVE-2006-1045 mfsa2006-26, 328917
Affected: thunderbird
Advisory:
The HTML rendering engine in Mozilla Thunderbird 1.5, when "Block
loading of remote images in mail messages" is enabled, does not
properly block external images from inline HTML attachments, which
could allow remote attackers to obtain sensitive information, such as
application version or IP address, when the user reads the email and
the external image is accessed.
=====================
mfsa2006-27 ... on hold right now
=====================
CVE-2006-1726 mfsa2006-28, 323501
Affected: all (1.5/1.8 only)
Advisory:
Unspecified vulnerability in Firefox and Thunderbird 1.5 before
1.5.0.2, and SeaMonkey before 1.0.1, allows remote attackers to bypass
the js_ValueToFunctionObject check and execute arbitrary code via
unknown vectors involving setTimeout and Firefox' ForEach method.
======================
CVE-2006-1725 mfsa2006-29, 327014
Affected: browsers only
Advisory:
Mozilla Firefox 1.5 before 1.5.0.2 and SeaMonkey before 1.0.1 causes
certain windows to become translucent due to an interaction between
XUL content windows and the history mechanism, which might allow
user-complicit remote attackers to trick users into executing
arbitrary code.
=======================
CVE-2005-2353 nomfsa, 304330 (fixed in debian?)
Affected: all
Advisory:
run-mozilla.sh in Thunderbird, with debugging enabled, allows local
users to create or overwrite arbitrary files via a symlink attack on
temporary files.
- Alexander
--
GPG messages preferred. | .''`. ** Debian GNU/Linux **
Alexander Sack | : :' : The universal
asac at debian.org | `. `' Operating System
http://www.asoftsite.org/ | `- http://www.debian.org/
More information about the pkg-mozilla-maintainers
mailing list