FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-29 07:54:42 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
a81746a1-c2c7-11d9-89f7-02061b08fc24mozilla -- "Wrapped" javascript: urls bypass security checks

A Mozilla Foundation Security Advisory reports:

Some security checks intended to prevent script injection were incorrect and could be bypassed by wrapping a javascript: url in the view-source: pseudo-protocol. Michael Krax demonstrated that a variant of his favicon exploit could still execute arbitrary code, and the same technique could also be used to perform cross-site scripting.

Georgi Guninski demonstrated the same flaw wrapping javascript: urls with the jar: pseudo-protocol.

L. David Baron discovered a nested variant that defeated checks in the script security manager.

Workaround: Disable Javascript


Discovery 2005-05-11
Entry 2005-05-12
firefox
< 1.0.4,1

linux-firefox
< 1.0.4

mozilla
< 1.7.8,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.8

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

http://www.mozilla.org/security/announce/mfsa2005-43.html
7d2aac52-9c6b-11d9-99a7-000a95bc6faemozilla -- heap buffer overflow in GIF image processing

A Mozilla Foundation Security Advisory states:

An (sic) GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.


Discovery 2005-03-10
Entry 2005-03-24
firefox
< 1.0.2,1

thunderbird
linux-firefox
< 1.0.2

mozilla
< 1.7.6,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.6

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-0399
http://www.mozilla.org/security/announce/mfsa2005-30.html
http://xforce.iss.net/xforce/alerts/id/191
https://bugzilla.mozilla.org/show_bug.cgi?id=285595
5360a659-131c-11d9-bc4a-000c41e2cdadmozilla -- hostname spoofing bug

When processing URIs that contain an unqualified host name-- specifically, a domain name of only one component-- Mozilla will perform matching against the first component of the domain name in SSL certificates. In other words, in some situations, a certificate issued to "www.example.com" will be accepted as matching "www".


Discovery 2004-02-12
Entry 2004-09-30
thunderbird
< 0.7

de-linux-mozillafirebird
el-linux-mozillafirebird
firefox
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
< 0.9.2

de-netscape7
fr-netscape7
ja-netscape7
netscape7
pt_BR-netscape7
le 7.2

mozilla-gtk1
linux-mozilla
linux-mozilla-devel
< 1.7

mozilla
< 1.7,2

de-linux-netscape
fr-linux-netscape
ja-linux-netscape
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
ge 0

CVE-2004-0765
http://bugzilla.mozilla.org/show_bug.cgi?id=234058
d022754d-8839-11d9-aa18-0001020eed82mozilla -- insecure temporary directory vulnerability

A Mozilla Foundation Security Advisory reports:

A predictable name is used for the plugin temporary directory. A malicious local user could symlink this to the victim's home directory and wait for the victim to run Firefox. When Firefox shuts down the victim's directory would be erased.


Discovery 2005-02-06
Entry 2005-02-26
firefox
< 1.0.1,1

mozilla
< 1.7.6,2

linux-mozilla
linux-mozilla-devel
< 1.7.6

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

http://www.mozilla.org/security/announce/mfsa2005-28.html
https://bugzilla.mozilla.org/show_bug.cgi?id=281284
a6427195-c2c7-11d9-89f7-02061b08fc24mozilla -- privilege escalation via non-DOM property overrides

A Mozilla Foundation Security Advisory reports:

Additional checks were added to make sure Javascript eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privilege of the context calling them in order to protect against an additional variant of MFSA 2005-41.

The Mozilla Foundation Security Advisory MFSA 2005-41 reports:

moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu.


Discovery 2005-05-11
Entry 2005-05-12
firefox
< 1.0.4,1

linux-firefox
< 1.0.4

mozilla
< 1.7.8,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.8

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

http://www.mozilla.org/security/announce/mfsa2005-44.html
cbfde1cd-87eb-11d9-aa18-0001020eed82mozilla -- arbitrary code execution vulnerability

A Mozilla Foundation Security Advisory reports:

Plugins (such as flash) can be used to load privileged content into a frame. Once loaded various spoofs can be applied to get the user to interact with the privileged content. Michael Krax's "Fireflashing" example demonstrates that an attacker can open about:config in a frame, hide it with an opacity setting, and if the attacker can get the victim to click at a particular spot (design some kind of simple game) you could toggle boolean preferences, some of which would make further attacks easier.

The "firescrolling" example demonstrates arbitrary code execution (in this case downloading a file) by convincing the user to scroll twice.

Workaround: Disable JavaScript.


Discovery 2005-02-24
Entry 2005-02-26
firefox
< 1.0.1,1

mozilla
< 1.7.6,2

linux-mozilla
linux-mozilla-devel
< 1.7.6

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-0527
http://www.mikx.de/fireflashing/
http://www.mikx.de/firescrolling/
http://www.mozilla.org/security/announce/mfsa2005-27.html
2e28cefb-2aee-11da-a263-0001020eed82firefox & mozilla -- command line URL shell command injection

A Secunia Advisory reports:

Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in the URL provided via the command line. This can e.g. be exploited to execute arbitrary shell commands by tricking a user into following a malicious link in an external application which uses Firefox as the default browser.


Discovery 2005-09-06
Entry 2005-09-22
Modified 2005-10-26
firefox
< 1.0.7,1

linux-firefox
< 1.0.7

mozilla
< 1.7.12,2

ge 1.8.*,2

linux-mozilla
< 1.7.12

linux-mozilla-devel
gt 0

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-2968
https://bugzilla.mozilla.org/show_bug.cgi?id=307185
http://secunia.com/advisories/16869/
http://www.mozilla.org/security/announce/mfsa2005-59.html
b0911985-6e2a-11d9-9557-000a95bc6faeweb browsers -- window injection vulnerabilities

A Secunia Research advisory reports:

Secunia Research has reported a vulnerability in multiple browsers, which can be exploited by malicious people to spoof the content of websites.

The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website.

Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_window_injection_vulnerability_test/

A workaround for Mozilla-based browsers is available.


Discovery 2004-12-08
Entry 2005-01-24
Modified 2005-02-26
firefox
< 1.0.1,1

mozilla
< 1.7.6,2

linux-mozilla
linux-mozilla-devel
< 1.7.6

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
de-netscape7
fr-netscape7
ja-netscape7
netscape7
pt_BR-netscape7
mozilla-gtk1
ge 0

de-linux-netscape
fr-linux-netscape
ja-linux-netscape
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
ge 0

kdebase
kdelibs
< 3.3.2

opera
opera-devel
linux-opera
< 7.54.20050131

http://secunia.com/secunia_research/2004-13/advisory/
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/
CVE-2004-1156
http://secunia.com/advisories/13129/
https://bugzilla.mozilla.org/show_bug.cgi?id=273699
https://bugzilla.mozilla.org/show_bug.cgi?id=103638
http://mozillanews.org/?article_date=2004-12-08+06-48-46
CVE-2004-1157
http://secunia.com/advisories/13253/
CVE-2004-1158
http://secunia.com/advisories/13254/
http://www.kde.org/info/security/advisory-20041213-1.txt
CVE-2004-1160
http://secunia.com/advisories/13402/
5d72701a-f601-11d9-bcd1-02061b08fc24firefox & mozilla -- multiple vulnerabilities

The Mozilla Foundation reports of multiple security vulnerabilities in Firefox and Mozilla:

  • MFSA 2005-56 Code execution through shared function objects
  • MFSA 2005-55 XHTML node spoofing
  • MFSA 2005-54 Javascript prompt origin spoofing
  • MFSA 2005-53 Standalone applications can run arbitrary code through the browser
  • MFSA 2005-52 Same origin violation: frame calling top.focus()
  • MFSA 2005-51 The return of frame-injection spoofing
  • MFSA 2005-50 Possibly exploitable crash in InstallVersion.compareTo()
  • MFSA 2005-49 Script injection from Firefox sidebar panel using data:
  • MFSA 2005-48 Same-origin violation with InstallTrigger callback
  • MFSA 2005-47 Code execution via "Set as Wallpaper"
  • MFSA 2005-46 XBL scripts ran even when Javascript disabled
  • MFSA 2005-45 Content-generated event vulnerabilities

Discovery 2005-07-12
Entry 2005-07-16
firefox
< 1.0.5,1

linux-firefox
< 1.0.5

mozilla
< 1.7.9,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.9

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-1937
CVE-2005-2260
CVE-2005-2261
CVE-2005-2262
CVE-2005-2263
CVE-2005-2264
CVE-2005-2265
CVE-2005-2266
CVE-2005-2267
CVE-2005-2268
CVE-2005-2269
CVE-2005-2270
http://www.mozilla.org/projects/security/known-vulnerabilities.html
http://www.mozilla.org/security/announce/mfsa2005-45.html
http://www.mozilla.org/security/announce/mfsa2005-46.html
http://www.mozilla.org/security/announce/mfsa2005-47.html
http://www.mozilla.org/security/announce/mfsa2005-48.html
http://www.mozilla.org/security/announce/mfsa2005-49.html
http://www.mozilla.org/security/announce/mfsa2005-50.html
http://www.mozilla.org/security/announce/mfsa2005-51.html
http://www.mozilla.org/security/announce/mfsa2005-52.html
http://www.mozilla.org/security/announce/mfsa2005-53.html
http://www.mozilla.org/security/announce/mfsa2005-54.html
http://www.mozilla.org/security/announce/mfsa2005-55.html
http://www.mozilla.org/security/announce/mfsa2005-56.html
a77849a5-696f-11d9-ae49-000c41e2cdadmozilla -- insecure permissions for some downloaded files

In a Mozilla bug report, Daniel Kleinsinger writes:

I was comparing treatment of attachments opened directly from emails on different platforms. I discovered that Linux builds save attachments in /tmp with world readable rights. This doesn't seem like a good thing. Couldn't someone else logged onto the same machine read your attachments?

This could expose the contents of downloaded files or email attachments to other users on a multi-user system.


Discovery 2004-07-13
Entry 2005-01-18
thunderbird
< 0.9

de-linux-mozillafirebird
el-linux-mozillafirebird
firefox
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
< 1.0.r2,1

de-netscape7
fr-netscape7
ja-netscape7
netscape7
pt_BR-netscape7
le 7.2

mozilla-gtk1
linux-mozilla
linux-mozilla-devel
< 1.7.5

mozilla
< 1.7.5,2

de-linux-netscape
fr-linux-netscape
ja-linux-netscape
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
ge 0

https://bugzilla.mozilla.org/show_bug.cgi?id=251297
http://marc.theaimsgroup.com/?l=full-disclosure&m=109865078103911
8f5dd74b-2c61-11da-a263-0001020eed82firefox & mozilla -- multiple vulnerabilities

A Mozilla Foundation Security Advisory reports of multiple issues:

Heap overrun in XBM image processing

jackerror reports that an improperly terminated XBM image ending with space characters instead of the expected end tag can lead to a heap buffer overrun. This appears to be exploitable to install or run malicious code on the user's machine.

Thunderbird does not support the XBM format and is not affected by this flaw.

Crash on "zero-width non-joiner" sequence

Mats Palmgren discovered that a reported crash on Unicode sequences with "zero-width non-joiner" characters was due to stack corruption that may be exploitable.

XMLHttpRequest header spoofing

It was possible to add illegal and malformed headers to an XMLHttpRequest. This could have been used to exploit server or proxy flaws from the user's machine, or to fool a server or proxy into thinking a single request was a stream of separate requests. The severity of this vulnerability depends on the value of servers which might be vulnerable to HTTP request smuggling and similar attacks, or which share an IP address (virtual hosting) with the attacker's page.

For users connecting to the web through a proxy this flaw could be used to bypass the same-origin restriction on XMLHttpRequests by fooling the proxy into handling a single request as multiple pipe-lined requests directed at arbitrary hosts. This could be used, for example, to read files on intranet servers behind a firewall.

Object spoofing using XBL

moz_bug_r_a4 demonstrated a DOM object spoofing bug similar to MFSA 2005-55 using an XBL control that an internal interface. The severity depends on the version of Firefox: investigation so far indicates Firefox 1.0.x releases don't expose any vulnerable functionality to interfaces spoofed in this way, but that early Deer Park Alpha 1 versions did.

XBL was changed to no longer allow unprivileged controls from web content to implement XPCOM interfaces.

JavaScript integer overflow

Georgi Guninski reported an integer overflow in the JavaScript engine. We presume this could be exploited to run arbitrary code under favorable conditions.

Privilege escalation using about: scheme

heatsync and shutdown report two different ways to bypass the restriction on loading high privileged "chrome" pages from an unprivileged "about:" page. By itself this is harmless--once the "about" page's privilege is raised the original page no longer has access--but should this be combined with a same-origin violation this could lead to arbitrary code execution.

Chrome window spoofing

moz_bug_r_a4 demonstrates a way to get a blank "chrome" canvas by opening a window from a reference to a closed window. The resulting window is not privileged, but the normal browser UI is missing and can be used to construct a spoof page without any of the safety features of the browser chrome designed to alert users to phishing sites, such as the address bar and the status bar.


Discovery 2005-09-22
Entry 2005-09-23
Modified 2005-10-26
firefox
< 1.0.7,1

linux-firefox
< 1.0.7

mozilla
< 1.7.12,2

ge 1.8.*,2

linux-mozilla
< 1.7.12

linux-mozilla-devel
gt 0

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-2701
CVE-2005-2702
CVE-2005-2703
CVE-2005-2704
CVE-2005-2705
CVE-2005-2706
CVE-2005-2707
http://www.mozilla.org/security/announce/mfsa2005-58.html
b2e6d1d6-1339-11d9-bc4a-000c41e2cdadmozilla -- scripting vulnerabilities

Several scripting vulnerabilities were discovered and corrected in Mozilla:

CVE-2004-0905

javascript; links dragged onto another frame or page allows an attacker to steal or modify sensitive information from other sites. The user could be convinced to drag obscurred links in the context of a game or even a fake scrollbar. If the user could be convinced to drag two links in sequence into a separate window (not frame) the attacker would be able to run arbitrary programs.

CVE-2004-0908

Untrusted javascript code can read and write to the clipboard, stealing any sensitive data the user might have copied. Workaround: disable javascript

CVE-2004-0909

Signed scripts requesting enhanced abilities could construct the request in a way that led to a confusing grant dialog, possibly fooling the user into thinking the privilege requested was inconsequential while actually obtaining explicit permission to run and install software. Workaround: Never grant enhanced abilities of any kind to untrusted web pages.


Discovery 2004-09-13
Entry 2004-09-30
thunderbird
< 0.8

de-linux-mozillafirebird
el-linux-mozillafirebird
firefox
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
< 1.p

de-netscape7
fr-netscape7
ja-netscape7
netscape7
pt_BR-netscape7
le 7.2

mozilla-gtk1
linux-mozilla
linux-mozilla-devel
< 1.7.3

mozilla
< 1.7.3,2

de-linux-netscape
fr-linux-netscape
ja-linux-netscape
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
ge 0

CVE-2004-0905
CVE-2004-0908
CVE-2004-0909
http://bugzilla.mozilla.org/show_bug.cgi?id=250862
http://bugzilla.mozilla.org/show_bug.cgi?id=257523
http://bugzilla.mozilla.org/show_bug.cgi?id=253942
ab9c559e-115a-11d9-bc4a-000c41e2cdadmozilla -- BMP decoder vulnerabilities

Gael Delalleau discovered several integer overflows in Mozilla's BMP decoder that can result in denial-of-service or arbitrary code execution.


Discovery 2004-09-13
Entry 2004-09-28
Modified 2004-09-30
thunderbird
< 0.7.3_1

de-linux-mozillafirebird
el-linux-mozillafirebird
firefox
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
linux-phoenix
phoenix
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
< 0.9.3_1

de-netscape7
fr-netscape7
ja-netscape7
netscape7
pt_BR-netscape7
le 7.2

linux-mozilla
linux-mozilla-devel
< 1.7.3

mozilla-gtk1
< 1.7.2_3

mozilla
< 1.7.2_2,2

ge 1.8.a,2 lt 1.8.a3_1,2

mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk
mozilla-gtk2
mozilla-thunderbird
linux-netscape
de-linux-netscape
fr-linux-netscape
ja-linux-netscape
ge 0

CVE-2004-0904
http://bugzilla.mozilla.org/show_bug.cgi?id=255067
TA04-261A
847200
8665ebb9-2237-11da-978e-0001020eed82firefox & mozilla -- buffer overflow vulnerability

Tom Ferris reports:

A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host.

The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead.

Note: It is possible to disable IDN support as a workaround to protect against this buffer overflow. How to do this is described on the What Firefox and Mozilla users should know about the IDN buffer overflow security issue web page.


Discovery 2005-09-08
Entry 2005-09-10
Modified 2005-10-26
firefox
< 1.0.6_5,1

linux-firefox
< 1.0.7

mozilla
< 1.7.11_1,2

ge 1.8.*,2 lt 1.8.b1_5,2

linux-mozilla
< 1.7.12

linux-mozilla-devel
gt 0

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

14784
573857
CVE-2005-2871
http://marc.theaimsgroup.com/?l=full-disclosure&m=112624614008387
http://www.mozilla.org/security/idn.html
https://bugzilla.mozilla.org/show_bug.cgi?id=307259
http://www.mozilla.org/security/announce/mfsa2005-57.html
a7e0d783-131b-11d9-bc4a-000c41e2cdadmozilla -- users may be lured into bypassing security dialogs

According to the Mozilla project:

An attacker who could lure users into clicking in particular places, or typing specific text, could cause a security permission or software installation dialog to pop up under the user's mouse click, clicking on the grant (or install) button.


Discovery 2004-06-05
Entry 2004-09-30
thunderbird
< 0.7

de-linux-mozillafirebird
el-linux-mozillafirebird
firefox
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
< 0.9.2

de-netscape7
fr-netscape7
ja-netscape7
netscape7
pt_BR-netscape7
le 7.2

mozilla-gtk1
linux-mozilla
linux-mozilla-devel
< 1.7

mozilla
< 1.7,2

de-linux-netscape
fr-linux-netscape
ja-linux-netscape
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
ge 0

CVE-2004-0762
http://bugzilla.mozilla.org/show_bug.cgi?id=162020
f650d5b8-ae62-11d9-a788-0001020eed82mozilla -- privilege escalation via DOM property overrides

A Mozilla Foundation Security Advisory reports:

moz_bug_r_a4 reported several exploits giving an attacker the ability to install malicious code or steal data, requiring only that the user do commonplace actions like click on a link or open the context menu. The common cause in each case was privileged UI code ("chrome") being overly trusting of DOM nodes from the content window. Scripts in the web page can override properties and methods of DOM nodes and shadow the native values, unless steps are taken to get the true underlying values.

We found that most extensions also interacted with content DOM in a natural, but unsafe, manner. Changes were made so that chrome code using this natural DOM coding style will now automatically use the native DOM value if it exists without having to use cumbersome wrapper objects.

Most of the specific exploits involved tricking the privileged code into calling eval() on an attacker-supplied script string, or the equivalent using the Script() object. Checks were added in the security manager to make sure eval and Script objects are run with the privileges of the context that created them, not the potentially elevated privileges of the context calling them.

Workaround: Disable Javascript


Discovery 2005-04-15
Entry 2005-04-16
firefox
< 1.0.3,1

linux-firefox
< 1.0.3

mozilla
< 1.7.7,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.7

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

http://www.mozilla.org/security/announce/mfsa2005-41.html
eca6195a-c233-11d9-804c-02061b08fc24mozilla -- code execution via javascript: IconURL vulnerability

A Mozilla Foundation Security Advisory reports:

Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.

  1. The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
  2. Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").

A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.


Discovery 2005-05-08
Entry 2005-05-11
firefox
< 1.0.4,1

linux-firefox
< 1.0.4

mozilla
< 1.7.8,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.8

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-1476
CVE-2005-1477
http://www.mozilla.org/security/announce/mfsa2005-42.html
1989b511-ae62-11d9-a788-0001020eed82mozilla -- code execution through javascript: favicons

A Mozilla Foundation Security Advisory reports:

Firefox and the Mozilla Suite support custom "favicons" through the tag. If a link tag is added to the page programmatically and a javascript: url is used, then script will run with elevated privileges and could run or install malicious software.

Workaround: Disable Javascript


Discovery 2005-04-12
Entry 2005-04-16
firefox
< 1.0.3,1

linux-firefox
< 1.0.3

mozilla
< 1.7.7,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.7

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

http://www.mozilla.org/security/announce/mfsa2005-37.html
45b75152-ae5f-11d9-a788-0001020eed82mozilla -- javascript "lambda" replace exposes memory contents

A Mozilla Foundation Security Advisory reports:

A bug in javascript's regular expression string replacement when using an anonymous function as the replacement argument allows a malicious script to capture blocks of memory allocated to the browser. A web site could capture data and transmit it to a server without user interaction or knowledge.

Workaround: Disable Javascript


Discovery 2005-04-01
Entry 2005-04-16
firefox
< 1.0.3,1

linux-firefox
< 1.0.3

mozilla
< 1.7.7,2

ge 1.8.*,2

linux-mozilla
linux-mozilla-devel
< 1.7.7

ge 1.8.*

netscape7
ge 0

de-linux-mozillafirebird
el-linux-mozillafirebird
ja-linux-mozillafirebird-gtk1
ja-mozillafirebird-gtk2
linux-mozillafirebird
ru-linux-mozillafirebird
zhCN-linux-mozillafirebird
zhTW-linux-mozillafirebird
ge 0

de-linux-netscape
de-netscape7
fr-linux-netscape
fr-netscape7
ja-linux-netscape
ja-netscape7
linux-netscape
linux-phoenix
mozilla+ipv6
mozilla-embedded
mozilla-firebird
mozilla-gtk1
mozilla-gtk2
mozilla-gtk
mozilla-thunderbird
phoenix
pt_BR-netscape7
ge 0

CVE-2005-0989
http://www.mozilla.org/security/announce/mfsa2005-33.html
https://bugzilla.mozilla.org/show_bug.cgi?id=288688