[warty] CAN-2004-1316: DOS due to Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp

Bug #11652 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
mozilla (Debian)
Fix Released
Unknown
mozilla (Ubuntu)
Fix Released
High
Thom May

Bug Description

Automatically imported from Debian bug report #288044 http://bugs.debian.org/288044

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #288044 http://bugs.debian.org/288044

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 31 Dec 2004 15:31:32 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2004-1316: DOS due to Heap-based buffer overflow in MSG_UnEscapeSearchUrl in
 nsNNTPProtocol.cpp

--fdj2RfSjLxBAspz7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mozilla-browser
Version: 2:1.7.3-5
Severity: grave

Our mozilla is vulnerable to CAN-2004-1316:

  Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp=
 for
  Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of se=
rvice
  (application crash) via an NNTP URL (news:) with a trailing '\' (backslas=
h)
  character, which prevents a string from being NULL terminated.

Apparently the hole can only be used to crash mozilla, not execute arbitary
code. Details here.
http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110436284718949&w=3D2

--=20
see shy jo

--fdj2RfSjLxBAspz7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB1bcjd8HHehbQuO8RAhheAJ48MXlvsqkbhTMzA0giky0XkwZjjgCfVZ9Z
+NaztONXrCuc6JlEMb9yLS0=
=w+Gg
-----END PGP SIGNATURE-----

--fdj2RfSjLxBAspz7--

Revision history for this message
In , Takuo KITAME (kitame) wrote : Bug#288044: fixed in mozilla 2:1.7.5-1
Download full text (5.3 KiB)

Source: mozilla
Source-Version: 2:1.7.5-1

We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:

libnspr-dev_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnspr-dev_1.7.5-1_i386.deb
libnspr4_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnspr4_1.7.5-1_i386.deb
libnss-dev_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnss-dev_1.7.5-1_i386.deb
libnss3_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnss3_1.7.5-1_i386.deb
mozilla-browser_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-browser_1.7.5-1_i386.deb
mozilla-calendar_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-calendar_1.7.5-1_i386.deb
mozilla-chatzilla_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-chatzilla_1.7.5-1_i386.deb
mozilla-dev_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-dev_1.7.5-1_i386.deb
mozilla-dom-inspector_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-dom-inspector_1.7.5-1_i386.deb
mozilla-js-debugger_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-js-debugger_1.7.5-1_i386.deb
mozilla-mailnews_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-mailnews_1.7.5-1_i386.deb
mozilla-psm_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-psm_1.7.5-1_i386.deb
mozilla_1.7.5-1.diff.gz
  to pool/main/m/mozilla/mozilla_1.7.5-1.diff.gz
mozilla_1.7.5-1.dsc
  to pool/main/m/mozilla/mozilla_1.7.5-1.dsc
mozilla_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla_1.7.5-1_i386.deb
mozilla_1.7.5.orig.tar.gz
  to pool/main/m/mozilla/mozilla_1.7.5.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Takuo KITAME <email address hidden> (supplier of updated mozilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 5 Jan 2005 16:22:00 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.5-1
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Takuo KITAME <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 mo...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.5 KiB)

Message-Id: <email address hidden>
Date: Wed, 05 Jan 2005 05:02:16 -0500
From: Takuo KITAME <email address hidden>
To: <email address hidden>
Subject: Bug#288044: fixed in mozilla 2:1.7.5-1

Source: mozilla
Source-Version: 2:1.7.5-1

We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:

libnspr-dev_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnspr-dev_1.7.5-1_i386.deb
libnspr4_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnspr4_1.7.5-1_i386.deb
libnss-dev_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnss-dev_1.7.5-1_i386.deb
libnss3_1.7.5-1_i386.deb
  to pool/main/m/mozilla/libnss3_1.7.5-1_i386.deb
mozilla-browser_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-browser_1.7.5-1_i386.deb
mozilla-calendar_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-calendar_1.7.5-1_i386.deb
mozilla-chatzilla_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-chatzilla_1.7.5-1_i386.deb
mozilla-dev_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-dev_1.7.5-1_i386.deb
mozilla-dom-inspector_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-dom-inspector_1.7.5-1_i386.deb
mozilla-js-debugger_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-js-debugger_1.7.5-1_i386.deb
mozilla-mailnews_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-mailnews_1.7.5-1_i386.deb
mozilla-psm_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla-psm_1.7.5-1_i386.deb
mozilla_1.7.5-1.diff.gz
  to pool/main/m/mozilla/mozilla_1.7.5-1.diff.gz
mozilla_1.7.5-1.dsc
  to pool/main/m/mozilla/mozilla_1.7.5-1.dsc
mozilla_1.7.5-1_i386.deb
  to pool/main/m/mozilla/mozilla_1.7.5-1_i386.deb
mozilla_1.7.5.orig.tar.gz
  to pool/main/m/mozilla/mozilla_1.7.5.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Takuo KITAME <email address hidden> (supplier of updated mozilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 5 Jan 2005 16:22:00 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.5-1
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Takuo KITAME <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozill...

Read more...

Revision history for this message
Martin Pitt (pitti) wrote :

Thom, was this already fixed in Hoary? What is the status of the Warty update?

Revision history for this message
Thom May (thombot) wrote :

 mozilla (2:1.7.6-1ubuntu1) hoary; urgency=low
 .
   * Resynchronise with Debian.
     - CAN-2004-1316: DOS due to Heap-based buffer overflow in
       MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp (Ubuntu: #5211)
     - CAN-2005-0233: IDN support allows domainname spoofing (Ubuntu: #6319)

Revision history for this message
Martin Pitt (pitti) wrote :

Warty was fixed in USN-155-1.

Changed in mozilla:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.