Date: Wed, 5 Jun 2002 18:27:07 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: security-officer@freebsd.org, <gnome@freebsd.org> Subject: Re: FYI: more Mozilla security bugs Message-ID: <20020605182448.K23113-100000@blues.jpj.net> In-Reply-To: <20020508200506.X28748-100000@blues.jpj.net>
next in thread | previous in thread | raw e-mail | index | archive | help
My testing (with the linux-mozilla port) shows the Chatzilla bug has been fixed in Mozilla 1.0. On 8 May 2002, I wrote: [snip] > In message <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk> > on Bugtraq, Thor Larholm described a buffer overflow in Chatzilla. > I confirmed the bug with this version of Mozilla/Chatzilla. Therefore > the chatzilla component is now omitted from batch builds and defaults > to being omitted from interactive ones too (XFree86 did crash > once--perhaps taken down by Mozilla--when I was viewing Thor's > demonstration page for the bug, but a second visit was uneventful). > I added a warning in capitals for interactive users. I was unable > to reproduce the other bug reported by Thor in the same message. > > Revision Changes Path > 1.12 +3 -6 ports/www/linux-mozilla/Makefile > 1.6 +13 -23 ports/www/linux-mozilla/distinfo > 1.3 +2 -2 ports/www/linux-mozilla/scripts/configure > > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/Makefile.diff?&r1=1.11&r2=1.12&f=h > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/distinfo.diff?&r1=1.5&r2=1.6&f=h > http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/scripts/configure.diff?&r1=1.2&r2=1.3&f=h > > > > ---------- Forwarded message ---------- > Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com > [66.38.151.27]) > by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g3UJhmt22139 > for <trevor@jpj.net>; Tue, 30 Apr 2002 15:43:49 -0400 (EDT) > Received: from lists.securityfocus.com (lists.securityfocus.com > [66.38.151.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id 659E0A3135; Tue, 30 Apr 2002 10:20:26 -0600 (MDT) > Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm > Precedence: bulk > List-Id: <bugtraq.list-id.securityfocus.com> > List-Post: <mailto:bugtraq@securityfocus.com> > List-Help: <mailto:bugtraq-help@securityfocus.com> > List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> > List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> > Delivered-To: mailing list bugtraq@securityfocus.com > Delivered-To: moderator for bugtraq@securityfocus.com > Received: (qmail 31139 invoked from network); 30 Apr 2002 15:42:24 -0000 > Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk> > From: Thor Larholm <Thor@jubii.dk> > To: "'GreyMagic Software'" <security@greymagic.com>, > NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, > Bugtraq <bugtraq@securityfocus.com> > Subject: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS) > Date: Tue, 30 Apr 2002 17:42:40 +0200 > MIME-Version: 1.0 > X-Mailer: Internet Mail Service (5.5.2653.19) > Content-Type: text/plain; > charset="iso-8859-1" > > Disturbing. > > Netscape sure must be in financial problems since they are selling out on > their users security for a lousy $1000. > > I know for one that I personally will release any future Netscape advisories > with full public disclosure and without prior Netscape notification. As a > matter of fact, why not start now ? > > The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun. > A typical IRC URL could look like this: > > IRC://IRC.YOUR.TLD/#YOURCHANNEL > > The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. > If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following > error: > > The exception unknown software exception (0xc00000fd) occured in the > application at location 0x60e42edf > > Mozilla 0.9.9 gives a similar exception: > > The exception unknown software exception (0xc00000fd) occured in the > application at location 0x60dd2c79. > > Other versions of Mozilla/NS6/Galeon likely share the same flaw. > I haven't tested further on how practically exploitable this is. > Short example online at > > http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html > > Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection > vulnerability. > > When embedding a stylesheet with the <LINK> element, access to CSS files > from other protocols is prohibited by the security manager. A simple HTTP > redirect circumvents this security restriction and it becomes possible to > use local or remote files of any type, with the side effect that you can > detect if specific local files exist. > > http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp > > > Regards > Thor Larholm > Jubii A/S - Internet Programmer > > > > -----Original Message----- > [elided by Trevor] > > -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-gnome" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020605182448.K23113-100000>