Date: Wed, 8 May 2002 20:06:52 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: security-officer@freebsd.org, <gnome@freebsd.org> Subject: FYI: more Mozilla security bugs Message-ID: <20020508200506.X28748-100000@blues.jpj.net>
next in thread | raw e-mail | index | archive | help
---------- Forwarded message ----------
Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119])
by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g4903Vt29318
for <trevor@jpj.net>; Wed, 8 May 2002 20:03:32 -0400 (EDT)
Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18])
by mx2.freebsd.org (Postfix) with ESMTP id 6DA3356114
for <trevor@jpj.net>; Wed, 8 May 2002 17:03:31 -0700 (PDT)
(envelope-from owner-cvs-committers@FreeBSD.org)
Received: by hub.freebsd.org (Postfix)
id 6B64A37B484; Wed, 8 May 2002 17:03:28 -0700 (PDT)
Delivered-To: trevor@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 538)
id EF61237B41B; Wed, 8 May 2002 17:03:08 -0700 (PDT)
Delivered-To: cvs-committers@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
by hub.freebsd.org (Postfix) with ESMTP
id 0BB5737B41F; Wed, 8 May 2002 17:03:03 -0700 (PDT)
Received: (from trevor@localhost)
by freefall.freebsd.org (8.11.6/8.11.6) id g49033s09819;
Wed, 8 May 2002 17:03:03 -0700 (PDT)
(envelope-from trevor)
Message-Id: <200205090003.g49033s09819@freefall.freebsd.org>
From: Trevor Johnson <trevor@FreeBSD.org>
Date: Wed, 8 May 2002 17:03:03 -0700 (PDT)
To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: ports/www/linux-mozilla Makefile distinfo
ports/www/linux-mozilla/scripts configure
X-FreeBSD-CVS-Branch: HEAD
Sender: owner-cvs-committers@FreeBSD.org
Precedence: bulk
X-Loop: FreeBSD.ORG
X-Spam-Status: No,
hits=-100.0 required=3.2 tests=USER_IN_WHITELIST version=2.11
trevor 2002/05/08 17:03:03 PDT
Modified files:
www/linux-mozilla Makefile distinfo
www/linux-mozilla/scripts configure
Log:
Update to a nightly build. Using the GreyMagic Mozilla Disk Explorer
and c't Browsercheck, I am no longer able to activate bug #141061
("XMLHttpRequest allows reading of local files").
In message <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk>
on Bugtraq, Thor Larholm described a buffer overflow in Chatzilla.
I confirmed the bug with this version of Mozilla/Chatzilla. Therefore
the chatzilla component is now omitted from batch builds and defaults
to being omitted from interactive ones too (XFree86 did crash
once--perhaps taken down by Mozilla--when I was viewing Thor's
demonstration page for the bug, but a second visit was uneventful).
I added a warning in capitals for interactive users. I was unable
to reproduce the other bug reported by Thor in the same message.
Revision Changes Path
1.12 +3 -6 ports/www/linux-mozilla/Makefile
1.6 +13 -23 ports/www/linux-mozilla/distinfo
1.3 +2 -2 ports/www/linux-mozilla/scripts/configure
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/Makefile.diff?&r1=1.11&r2=1.12&f=h
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/distinfo.diff?&r1=1.5&r2=1.6&f=h
http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/scripts/configure.diff?&r1=1.2&r2=1.3&f=h
---------- Forwarded message ----------
Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
[66.38.151.27])
by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g3UJhmt22139
for <trevor@jpj.net>; Tue, 30 Apr 2002 15:43:49 -0400 (EDT)
Received: from lists.securityfocus.com (lists.securityfocus.com
[66.38.151.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id 659E0A3135; Tue, 30 Apr 2002 10:20:26 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 31139 invoked from network); 30 Apr 2002 15:42:24 -0000
Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk>
From: Thor Larholm <Thor@jubii.dk>
To: "'GreyMagic Software'" <security@greymagic.com>,
NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
Bugtraq <bugtraq@securityfocus.com>
Subject: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
Date: Tue, 30 Apr 2002 17:42:40 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Disturbing.
Netscape sure must be in financial problems since they are selling out on
their users security for a lousy $1000.
I know for one that I personally will release any future Netscape advisories
with full public disclosure and without prior Netscape notification. As a
matter of fact, why not start now ?
The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
A typical IRC URL could look like this:
IRC://IRC.YOUR.TLD/#YOURCHANNEL
The #YOURCHANNEL part is copied to a buffer that has a limit of 32K.
If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
error:
The exception unknown software exception (0xc00000fd) occured in the
application at location 0x60e42edf
Mozilla 0.9.9 gives a similar exception:
The exception unknown software exception (0xc00000fd) occured in the
application at location 0x60dd2c79.
Other versions of Mozilla/NS6/Galeon likely share the same flaw.
I haven't tested further on how practically exploitable this is.
Short example online at
http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html
Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
vulnerability.
When embedding a stylesheet with the <LINK> element, access to CSS files
from other protocols is prohibited by the security manager. A simple HTTP
redirect circumvents this security restriction and it becomes possible to
use local or remote files of any type, with the side effect that you can
detect if specific local files exist.
http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
Regards
Thor Larholm
Jubii A/S - Internet Programmer
-----Original Message-----
[elided by Trevor]
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-gnome" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020508200506.X28748-100000>