From owner-freebsd-gnome  Wed Jun  5 15:27:19 2002
Delivered-To: freebsd-gnome@freebsd.org
Received: from blues.jpj.net (blues.jpj.net [204.97.17.6])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5B46D37B400; Wed,  5 Jun 2002 15:27:12 -0700 (PDT)
Received: from localhost (trevor@localhost)
	by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g55MR7c02344;
	Wed, 5 Jun 2002 18:27:07 -0400 (EDT)
Date: Wed, 5 Jun 2002 18:27:07 -0400 (EDT)
From: Trevor Johnson <trevor@jpj.net>
To: security-officer@freebsd.org, <gnome@freebsd.org>
Subject: Re: FYI:  more Mozilla security bugs
In-Reply-To: <20020508200506.X28748-100000@blues.jpj.net>
Message-ID: <20020605182448.K23113-100000@blues.jpj.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-gnome@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-gnome.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-gnome>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-gnome>
X-Loop: FreeBSD.ORG

My testing (with the linux-mozilla port) shows the Chatzilla bug has been
fixed in Mozilla 1.0.

On 8 May 2002, I wrote:

[snip]
>   In message <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk>
>   on Bugtraq, Thor Larholm described a buffer overflow in Chatzilla.
>   I confirmed the bug with this version of Mozilla/Chatzilla.  Therefore
>   the chatzilla component is now omitted from batch builds and defaults
>   to being omitted from interactive ones too (XFree86 did crash
>   once--perhaps taken down by Mozilla--when I was viewing Thor's
>   demonstration page for the bug, but a second visit was uneventful).
>   I added a warning in capitals for interactive users.  I was unable
>   to reproduce the other bug reported by Thor in the same message.
>
>   Revision  Changes    Path
>   1.12      +3 -6      ports/www/linux-mozilla/Makefile
>   1.6       +13 -23    ports/www/linux-mozilla/distinfo
>   1.3       +2 -2      ports/www/linux-mozilla/scripts/configure
>
> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/Makefile.diff?&r1=1.11&r2=1.12&f=h
> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/distinfo.diff?&r1=1.5&r2=1.6&f=h
> http://www.FreeBSD.org/cgi/cvsweb.cgi/ports/www/linux-mozilla/scripts/configure.diff?&r1=1.2&r2=1.3&f=h
>
>
>
> ---------- Forwarded message ----------
> Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com
>     [66.38.151.27])
> 	by blues.jpj.net (8.11.6/8.11.6) with ESMTP id g3UJhmt22139
> 	for <trevor@jpj.net>; Tue, 30 Apr 2002 15:43:49 -0400 (EDT)
> Received: from lists.securityfocus.com (lists.securityfocus.com
>     [66.38.151.19])
> 	by outgoing.securityfocus.com (Postfix) with QMQP
> 	id 659E0A3135; Tue, 30 Apr 2002 10:20:26 -0600 (MDT)
> Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq@securityfocus.com>
> List-Help: <mailto:bugtraq-help@securityfocus.com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
> Delivered-To: mailing list bugtraq@securityfocus.com
> Delivered-To: moderator for bugtraq@securityfocus.com
> Received: (qmail 31139 invoked from network); 30 Apr 2002 15:42:24 -0000
> Message-ID: <52D05AEFB0D95C4BAD179A054A54CDEB1BD37A@mailsrv1.jubii.dk>
> From: Thor Larholm <Thor@jubii.dk>
> To: "'GreyMagic Software'" <security@greymagic.com>,
>    NTBugtraq <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
>    Bugtraq <bugtraq@securityfocus.com>
> Subject: RE: Reading local files in Netscape 6 and Mozilla (GM#001-NS)
> Date: Tue, 30 Apr 2002 17:42:40 +0200
> MIME-Version: 1.0
> X-Mailer: Internet Mail Service (5.5.2653.19)
> Content-Type: text/plain;
> 	charset="iso-8859-1"
>
> Disturbing.
>
> Netscape sure must be in financial problems since they are selling out on
> their users security for a lousy $1000.
>
> I know for one that I personally will release any future Netscape advisories
> with full public disclosure and without prior Netscape notification. As a
> matter of fact, why not start now ?
>
> The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
> A typical IRC URL could look like this:
>
> IRC://IRC.YOUR.TLD/#YOURCHANNEL
>
> The #YOURCHANNEL part is copied to a buffer that has a limit of 32K.
> If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
> error:
>
> The exception unknown software exception (0xc00000fd) occured in the
> application at location 0x60e42edf
>
> Mozilla 0.9.9 gives a similar exception:
>
> The exception unknown software exception (0xc00000fd) occured in the
> application at location 0x60dd2c79.
>
> Other versions of Mozilla/NS6/Galeon likely share the same flaw.
> I haven't tested further on how practically exploitable this is.
> Short example online at
>
> http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html
>
> Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
> vulnerability.
>
> When embedding a stylesheet with the <LINK> element, access to CSS files
> from other protocols is prohibited by the security manager. A simple HTTP
> redirect circumvents this security restriction and it becomes possible to
> use local or remote files of any type, with the side effect that you can
> detect if specific local files exist.
>
> http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
>
>
> Regards
> Thor Larholm
> Jubii A/S - Internet Programmer
>
>
>
> -----Original Message-----
> [elided by Trevor]
>
>
-- 
Trevor Johnson


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-gnome" in the body of the message