From owner-freebsd-gnome Wed May 8 17: 7: 8 2002 Delivered-To: freebsd-gnome@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.6]) by hub.freebsd.org (Postfix) with ESMTP id 9E34137B41B; Wed, 8 May 2002 17:06:59 -0700 (PDT) Received: from localhost (trevor@localhost) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g4906ra29445; Wed, 8 May 2002 20:06:53 -0400 (EDT) Date: Wed, 8 May 2002 20:06:52 -0400 (EDT) From: Trevor Johnson To: security-officer@freebsd.org, Subject: FYI: more Mozilla security bugs Message-ID: <20020508200506.X28748-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-gnome@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ---------- Forwarded message ---------- Received: from mx2.freebsd.org (mx2.FreeBSD.org [216.136.204.119]) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g4903Vt29318 for ; Wed, 8 May 2002 20:03:32 -0400 (EDT) Received: from hub.freebsd.org (hub.FreeBSD.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 6DA3356114 for ; Wed, 8 May 2002 17:03:31 -0700 (PDT) (envelope-from owner-cvs-committers@FreeBSD.org) Received: by hub.freebsd.org (Postfix) id 6B64A37B484; Wed, 8 May 2002 17:03:28 -0700 (PDT) Delivered-To: trevor@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 538) id EF61237B41B; Wed, 8 May 2002 17:03:08 -0700 (PDT) Delivered-To: cvs-committers@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0BB5737B41F; Wed, 8 May 2002 17:03:03 -0700 (PDT) Received: (from trevor@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g49033s09819; Wed, 8 May 2002 17:03:03 -0700 (PDT) (envelope-from trevor) Message-Id: <200205090003.g49033s09819@freefall.freebsd.org> From: Trevor Johnson Date: Wed, 8 May 2002 17:03:03 -0700 (PDT) To: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: ports/www/linux-mozilla Makefile distinfo ports/www/linux-mozilla/scripts configure X-FreeBSD-CVS-Branch: HEAD Sender: owner-cvs-committers@FreeBSD.org Precedence: bulk X-Loop: FreeBSD.ORG X-Spam-Status: No, hits=-100.0 required=3.2 tests=USER_IN_WHITELIST version=2.11 trevor 2002/05/08 17:03:03 PDT Modified files: www/linux-mozilla Makefile distinfo www/linux-mozilla/scripts configure Log: Update to a nightly build. Using the GreyMagic Mozilla Disk Explorer and c't Browsercheck, I am no longer able to activate bug #141061 ("XMLHttpRequest allows reading of local files"). In message <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk> on Bugtraq, Thor Larholm described a buffer overflow in Chatzilla. I confirmed the bug with this version of Mozilla/Chatzilla. Therefore the chatzilla component is now omitted from batch builds and defaults to being omitted from interactive ones too (XFree86 did crash once--perhaps taken down by Mozilla--when I was viewing Thor's demonstration page for the bug, but a second visit was uneventful). I added a warning in capitals for interactive users. I was unable to reproduce the other bug reported by Thor in the same message. Revision Changes Path 1.12 +3 -6 ports/www/linux-mozilla/Makefile 1.6 +13 -23 ports/www/linux-mozilla/distinfo 1.3 +2 -2 ports/www/linux-mozilla/scripts/configure http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/Makefile.diff?&r1=1.11&r2=1.12&f=h http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/distinfo.diff?&r1=1.5&r2=1.6&f=h http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/scripts/configure.diff?&r1=1.2&r2=1.3&f=h ---------- Forwarded message ---------- Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g3UJhmt22139 for ; Tue, 30 Apr 2002 15:43:49 -0400 (EDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 659E0A3135; Tue, 30 Apr 2002 10:20:26 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 31139 invoked from network); 30 Apr 2002 15:42:24 -0000 Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk> From: Thor Larholm To: "'GreyMagic Software'" , NTBugtraq , Bugtraq Subject: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS) Date: Tue, 30 Apr 2002 17:42:40 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Disturbing. Netscape sure must be in financial problems since they are selling out on their users security for a lousy $1000. I know for one that I personally will release any future Netscape advisories with full public disclosure and without prior Netscape notification. As a matter of fact, why not start now ? The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun. A typical IRC URL could look like this: IRC://IRC.YOUR.TLD/#YOURCHANNEL The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following error: The exception unknown software exception (0xc00000fd) occured in the application at location 0x60e42edf Mozilla 0.9.9 gives a similar exception: The exception unknown software exception (0xc00000fd) occured in the application at location 0x60dd2c79. Other versions of Mozilla/NS6/Galeon likely share the same flaw. I haven't tested further on how practically exploitable this is. Short example online at http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection vulnerability. When embedding a stylesheet with the element, access to CSS files from other protocols is prohibited by the security manager. A simple HTTP redirect circumvents this security restriction and it becomes possible to use local or remote files of any type, with the side effect that you can detect if specific local files exist. http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp Regards Thor Larholm Jubii A/S - Internet Programmer -----Original Message----- [elided by Trevor] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message