FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

firefox & mozilla -- multiple vulnerabilities

Affected packages
firefox < 1.0.7,1
linux-firefox < 1.0.7
mozilla < 1.7.12,2
1.8.*,2 <= mozilla
linux-mozilla < 1.7.12
0 < linux-mozilla-devel
0 <= netscape7
0 <= de-linux-mozillafirebird
0 <= el-linux-mozillafirebird
0 <= ja-linux-mozillafirebird-gtk1
0 <= ja-mozillafirebird-gtk2
0 <= linux-mozillafirebird
0 <= ru-linux-mozillafirebird
0 <= zhCN-linux-mozillafirebird
0 <= zhTW-linux-mozillafirebird
0 <= de-linux-netscape
0 <= de-netscape7
0 <= fr-linux-netscape
0 <= fr-netscape7
0 <= ja-linux-netscape
0 <= ja-netscape7
0 <= linux-netscape
0 <= linux-phoenix
0 <= mozilla+ipv6
0 <= mozilla-embedded
0 <= mozilla-firebird
0 <= mozilla-gtk
0 <= mozilla-gtk1
0 <= mozilla-gtk2
0 <= mozilla-thunderbird
0 <= phoenix
0 <= pt_BR-netscape7

Details

VuXML ID 8f5dd74b-2c61-11da-a263-0001020eed82
Discovery 2005-09-22
Entry 2005-09-23
Modified 2005-10-26

A Mozilla Foundation Security Advisory reports of multiple issues:

Heap overrun in XBM image processing

jackerror reports that an improperly terminated XBM image ending with space characters instead of the expected end tag can lead to a heap buffer overrun. This appears to be exploitable to install or run malicious code on the user's machine.

Thunderbird does not support the XBM format and is not affected by this flaw.

Crash on "zero-width non-joiner" sequence

Mats Palmgren discovered that a reported crash on Unicode sequences with "zero-width non-joiner" characters was due to stack corruption that may be exploitable.

XMLHttpRequest header spoofing

It was possible to add illegal and malformed headers to an XMLHttpRequest. This could have been used to exploit server or proxy flaws from the user's machine, or to fool a server or proxy into thinking a single request was a stream of separate requests. The severity of this vulnerability depends on the value of servers which might be vulnerable to HTTP request smuggling and similar attacks, or which share an IP address (virtual hosting) with the attacker's page.

For users connecting to the web through a proxy this flaw could be used to bypass the same-origin restriction on XMLHttpRequests by fooling the proxy into handling a single request as multiple pipe-lined requests directed at arbitrary hosts. This could be used, for example, to read files on intranet servers behind a firewall.

Object spoofing using XBL <implements>

moz_bug_r_a4 demonstrated a DOM object spoofing bug similar to MFSA 2005-55 using an XBL control that <implements> an internal interface. The severity depends on the version of Firefox: investigation so far indicates Firefox 1.0.x releases don't expose any vulnerable functionality to interfaces spoofed in this way, but that early Deer Park Alpha 1 versions did.

XBL was changed to no longer allow unprivileged controls from web content to implement XPCOM interfaces.

JavaScript integer overflow

Georgi Guninski reported an integer overflow in the JavaScript engine. We presume this could be exploited to run arbitrary code under favorable conditions.

Privilege escalation using about: scheme

heatsync and shutdown report two different ways to bypass the restriction on loading high privileged "chrome" pages from an unprivileged "about:" page. By itself this is harmless--once the "about" page's privilege is raised the original page no longer has access--but should this be combined with a same-origin violation this could lead to arbitrary code execution.

Chrome window spoofing

moz_bug_r_a4 demonstrates a way to get a blank "chrome" canvas by opening a window from a reference to a closed window. The resulting window is not privileged, but the normal browser UI is missing and can be used to construct a spoof page without any of the safety features of the browser chrome designed to alert users to phishing sites, such as the address bar and the status bar.

References

CVE Name CVE-2005-2701
CVE Name CVE-2005-2702
CVE Name CVE-2005-2703
CVE Name CVE-2005-2704
CVE Name CVE-2005-2705
CVE Name CVE-2005-2706
CVE Name CVE-2005-2707
URL http://www.mozilla.org/security/announce/mfsa2005-58.html