Date: 27 April 2006
References: AL-2006.0027 ESB-2006.0303
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0297 -- [Debian]
New Mozilla Firefox packages fix several vulnerabilities
27 April 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: mozilla-firefox
Publisher: Debian
Operating System: Debian GNU/Linux 3.1
Impact: Execute Arbitrary Code/Commands
Denial of Service
Cross-site Scripting
Inappropriate Access
Read-only Data Access
Provide Misleading Information
Access: Remote/Unauthenticated
CVE Names: CVE-2006-1790 CVE-2006-1742 CVE-2006-1741
CVE-2006-1740 CVE-2006-1739 CVE-2006-1738
CVE-2006-1737 CVE-2006-1736 CVE-2006-1735
CVE-2006-1734 CVE-2006-1733 CVE-2006-1732
CVE-2006-1731 CVE-2006-1730 CVE-2006-1729
CVE-2006-1728 CVE-2006-1727 CVE-2006-0749
CVE-2006-0748 CVE-2006-0296 CVE-2006-0293
CVE-2006-0292 CVE-2005-4134
Ref: AL-2006.0027
Original Bulletin: http://www.debian.org/security/2006/dsa-1044
Comment: As well as covering issues mentioned in AL-2006.0027, this
advisory also covers the malformed table issue found in
http://www.zerodayinitiative.com/advisories/ZDI-06-011.html.
Note that upgrading to the latest version as recommended in
AL-2006.0027 will still protect against this extra vulnerability.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------------
Debian Security Advisory DSA 1044-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
April 26th, 2006 http://www.debian.org/security/faq
- - --------------------------------------------------------------------------
Package : mozilla-firefox
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE IDs : CVE-2006-0293 CVE-2006-0292 CVE-2005-4134 CVE-2006-0296 CVE-2006-1741
CVE-2006-1742 CVE-2006-1737 CVE-2006-1738 CVE-2006-1739 CVE-2006-1790
CVE-2006-1740 CVE-2006-1736 CVE-2006-1735 CVE-2006-1734 CVE-2006-1733
CVE-2006-1732 CVE-2006-0749 CVE-2006-1731 CVE-2006-1730 CVE-2006-1729
CVE-2006-1728 CVE-2006-1727 CVE-2006-0748
CERT advisories: VU#179014 VU#252324 VU#329500 VU#488774 VU#492382 VU#592425 VU#736934
VU#813230 VU#842094 VU#932734 VU#935556
BugTraq IDs : 15773 16476 17516
Debian Bugs : 363935 362656
Several security related problems have been discovered in Mozilla
Firefox. The Common Vulnerabilities and Exposures project identifies
the following vulnerabilities:
CVE-2005-4134
Web pages with extremely long titles cause subsequent launches of
the browser to appear to "hang" for up to a few minutes, or even
crash if the computer has insufficient memory. [MFSA-2006-03]
CVE-2006-0292
The Javascript interpreter does not properly dereference objects,
which allows remote attackers to cause a denial of service or
execute arbitrary code. [MFSA-2006-01]
CVE-2006-0293
The function allocation code allows attackers to cause a denial of
service and possibly execute arbitrary code. [MFSA-2006-01]
CVE-2006-0296
XULDocument.persist() did not validate the attribute name,
allowing an attacker to inject arbitrary XML and JavaScript code
into localstore.rdf that would be read and acted upon during
startup. [MFSA-2006-05]
CVE-2006-0748
An anonymous researcher for TippingPoint and the Zero Day
Initiative reported that an invalid and nonsensical ordering of
table-related tags can be exploited to execute arbitrary code.
[MFSA-2006-27]
CVE-2006-0749
A particular sequence of HTML tags can cause memory corruption
that can be exploited to exectute arbitary code. [MFSA-2006-18]
CVE-2006-1727
Georgi Guninski reported two variants of using scripts in an XBL
control to gain chrome privileges when the page is viewed under
"Print Preview".under "Print Preview". [MFSA-2006-25]
CVE-2006-1728
"shutdown" discovered that the crypto.generateCRMFRequest method
can be used to run arbitrary code with the privilege of the user
running the browser, which could enable an attacker to install
malware. [MFSA-2006-24]
CVE-2006-1729
Claus Jørgensen reported that a text input box can be pre-filled
with a filename and then turned into a file-upload control,
allowing a malicious website to steal any local file whose name
they can guess. [MFSA-2006-23]
CVE-2006-1730
An anonymous researcher for TippingPoint and the Zero Day
Initiative discovered an integer overflow triggered by the CSS
letter-spacing property, which could be exploited to execute
arbitrary code. [MFSA-2006-22]
CVE-2006-1731
"moz_bug_r_a4" discovered that some internal functions return
prototypes instead of objects, which allows remote attackers to
conduct cross-site scripting attacks. [MFSA-2006-19]
CVE-2006-1732
"shutdown" discovered that it is possible to bypass same-origin
protections, allowing a malicious site to inject script into
content from another site, which could allow the malicious page to
steal information such as cookies or passwords from the other
site, or perform transactions on the user's behalf if the user
were already logged in. [MFSA-2006-17]
CVE-2006-1733
"moz_bug_r_a4" discovered that the compilation scope of privileged
built-in XBL bindings is not fully protected from web content and
can still be executed which could be used to execute arbitrary
JavaScript, which could allow an attacker to install malware such
as viruses and password sniffers. [MFSA-2006-16]
CVE-2006-1734
"shutdown" discovered that it is possible to access an internal
function object which could then be used to run arbitrary
JavaScriptcode with full permissions of the user running the
browser, which could be used to install spyware or viruses.
[MFSA-2006-15]
CVE-2006-1735
It is possible to create JavaScript functions that would get
compiled with the wrong privileges, allowing an attacker to run
code of their choice with full permissions of the user running the
browser, which could be used to install spyware or viruses.
[MFSA-2006-14]
CVE-2006-1736
It is possible to trick users into downloading and saving an
executable file via an image that is overlaid by a transparent
image link that points to the executable. [MFSA-2006-13]
CVE-2006-1737
An integer overflow allows remote attackers to cause a denial of
service and possibly execute arbitrary bytecode via JavaScript
with a large regular expression. [MFSA-2006-11]
CVE-2006-1738
An unspecified vulnerability allows remote attackers to cause a
denial of service. [MFSA-2006-11]
CVE-2006-1739
Certain Cascading Style Sheets (CSS) can cause an out-of-bounds
array write and buffer overflow that could lead to a denial of
service and the possible execution of arbitrary code. [MFSA-2006-11]
CVE-2006-1740
It is possible for remote attackers to spoof secure site
indicators such as the locked icon by opening the trusted site in
a popup window, then changing the location to a malicious site.
[MFSA-2006-12]
CVE-2006-1741
"shutdown" discovered that it is possible to inject arbitrary
JavaScript code into a page on another site using a modal alert to
suspend an event handler while a new page is being loaded. This
could be used to steal confidential information. [MFSA-2006-09]
CVE-2006-1742
Igor Bukanov discovered that the JavaScript engine does not
properly handle temporary variables, which might allow remote
attackers to trigger operations on freed memory and cause memory
corruption, causing memory corruption. [MFSA-2006-10]
CVE-2006-1790
A regression fix that could lead to memory corruption allows
remote attackers to cause a denial of service and possibly execute
arbitrary code. [MFSA-2006-11]
For the stable distribution (sarge) these problems have been fixed in
version 1.0.4-2sarge6.
For the unstable distribution (sid) these problems have been fixed in
version 1.5.dfsg+1.5.0.2-2.
We recommend that you upgrade your Mozilla Firefox packages.
Upgrade Instructions
- - --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.1 alias sarge
- - --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge6.dsc
Size/MD5 checksum: 1001 09c185f1a695fd7b01494c7612e123bf
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge6.diff.gz
Size/MD5 checksum: 381739 0582bbb1766855b1e82c25a39109480a
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d
Alpha architecture:
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge6_alpha.deb
Size/MD5 checksum: 11171196 55e56e5a9306f5ea4d1508140836c042
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge6_alpha.deb
Size/MD5 checksum: 168162 9c4d068815e6e6239970f3b248456622
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge6_alpha.deb
Size/MD5 checksum: 60002 532591335d84fc3f28e8c91f829a33c5
These files will probably be moved into the stable distribution on
its next update.
- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFET5mhW5ql+IAeqTIRAhQiAKCJdrXOfWhgc/ZOuBRgnUHo9wJRagCbB2dy
iXGMz9cSYHObcMeNtF8fGac=
=glJt
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRFATcyh9+71yA2DNAQJasQQAgLvhocF0ueQUObbwe0IwFAmyuQ8XvW0q
BOp0Cb5t+W8f0Hhh4hJf5+D6owEPOWWL+sbcP7d/M7zc2CctK7E9XwZYdc5yXTyS
5it/hIy7w8DUp+HEqSc0LkyMg5orRosEjrqrtscPv8Sor7+RBMsWR5NaPhKTjWby
ltT8mt1hK3g=
=sb1o
-----END PGP SIGNATURE-----
|