Ubuntu
mozilla package

[warty] IDN support allows domain name spoofing

Bug #12680 reported by Debian Bug Importer
8
Affects Status Importance Assigned to Milestone
mozilla (Debian)
Fix Released
Unknown
mozilla (Ubuntu)
Fix Released
High
Thom May
Ubuntu ubuntu-4.10

Bug Description

Automatically imported from Debian bug report #294274 http://bugs.debian.org/294274

See original description
Revision history for this message
In , Mike Hommey (mh-glandium) wrote : Upgrading to RC

severity 294274 grave
severity 294271 grave
thanks

As discussed on #d-d, these bugs should be RC. (The firefox one is
already RC)

Mike

Revision history for this message
In , Mike Hommey (mh-glandium) wrote :

> As discussed on #d-d, these bugs should be RC. (The firefox one is
> already RC)

Note to self: don't do stuff while tired.

So let's go for a more detailed justification.

IDN is widely broken due to the fact that registrars don't do their job.
But it's not widely used, first reason being that IE doesn't support it
without a plugin.
Considering that a Debian release is usually due to last quite long,
keeping something unused and dangerous in a release is insane.
You might want to disable it totally or provide a way to enable it with
a runtime option or something if the user really wants it. That's the
safest fix.

Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #294274 http://bugs.debian.org/294274

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 16:08:03 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: IDN support allows domain name spoofing

--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mozilla-browser
Version: 2:1.7.5-1
Severity: normal
Tags: security

Epiphany and other browsers which support IDN are vulnerable to domain
spoofing via homograph characters in domain names. Please see
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031459.html
for details, and note that this is CAN-2005-0233.

This bug is filed upstream:
https://bugzilla.mozilla.org/show_bug.cgi?id=3D281381

Note: I have not marked this bug as releae critical, because it's not
clear to me if spoofing attacks qualify.

--=20
see shy jo

--zYM0uCDKw75PZbzx
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCSozd8HHehbQuO8RAk7RAKCzl1gvBjoMAdIwOJYbFJCv/ajoYACdHAi9
ZRyMwPcMCttI8VKdnRPWPO0=
=APHS
-----END PGP SIGNATURE-----

--zYM0uCDKw75PZbzx--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 00:02:46 +0100
From: Mike Hommey <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Upgrading to RC

severity 294274 grave
severity 294271 grave
thanks

As discussed on #d-d, these bugs should be RC. (The firefox one is
already RC)

Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 00:41:14 +0100
From: Mike Hommey <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Upgrading to RC

> As discussed on #d-d, these bugs should be RC. (The firefox one is
> already RC)

Note to self: don't do stuff while tired.

So let's go for a more detailed justification.

IDN is widely broken due to the fact that registrars don't do their job.
But it's not widely used, first reason being that IE doesn't support it
without a plugin.
Considering that a Debian release is usually due to last quite long,
keeping something unused and dangerous in a release is insane.
You might want to disable it totally or provide a way to enable it with
a runtime option or something if the user really wants it. That's the
safest fix.

Mike

Revision history for this message
In , Chris Cheney (ccheney-cheney) wrote : Re: Bug#294271: Upgrading to RC

Precisely due to the fact that Debian releases are so seldom do you
think Microsoft won't add IDN support to IE7 in Longhorn next year? If
they do Debian won't be able to access the many sites that will pop up
soon after IE adds official support. Perhaps the release team/stable
release manager needs to have a position on later recompiling the
browsers for stable to support IDN if/when it becomes widely used.

Chris

On Wed, Feb 09, 2005 at 12:41:14AM +0100, Mike Hommey wrote:
> > As discussed on #d-d, these bugs should be RC. (The firefox one is
> > already RC)
>
> Note to self: don't do stuff while tired.
>
> So let's go for a more detailed justification.
>
> IDN is widely broken due to the fact that registrars don't do their job.
> But it's not widely used, first reason being that IE doesn't support it
> without a plugin.
> Considering that a Debian release is usually due to last quite long,
> keeping something unused and dangerous in a release is insane.
> You might want to disable it totally or provide a way to enable it with
> a runtime option or something if the user really wants it. That's the
> safest fix.
>
> Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 22:48:31 -0600
From: Chris Cheney <email address hidden>
To: Mike Hommey <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#294271: Upgrading to RC

Precisely due to the fact that Debian releases are so seldom do you
think Microsoft won't add IDN support to IE7 in Longhorn next year? If
they do Debian won't be able to access the many sites that will pop up
soon after IE adds official support. Perhaps the release team/stable
release manager needs to have a position on later recompiling the
browsers for stable to support IDN if/when it becomes widely used.

Chris

On Wed, Feb 09, 2005 at 12:41:14AM +0100, Mike Hommey wrote:
> > As discussed on #d-d, these bugs should be RC. (The firefox one is
> > already RC)
>
> Note to self: don't do stuff while tired.
>
> So let's go for a more detailed justification.
>
> IDN is widely broken due to the fact that registrars don't do their job.
> But it's not widely used, first reason being that IE doesn't support it
> without a plugin.
> Considering that a Debian release is usually due to last quite long,
> keeping something unused and dangerous in a release is insane.
> You might want to disable it totally or provide a way to enable it with
> a runtime option or something if the user really wants it. That's the
> safest fix.
>
> Mike

Revision history for this message
In , C. Scott Ananian (cananian) wrote : mozilla-browser: Also filed against firefox

Package: mozilla-browser
Followup-For: Bug #294274

I just filed a corresponding bug against firefox; I didn't see one already
there when I invoked reportbug (it's possible I overlooked it). Anyway,
if anyone's keeping track, it's debian bug #294439.
 --scott

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages mozilla-browser depends on:
ii debconf 1.4.45 Debian configuration management sy
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.6.2-2 The GTK+ graphical user interface
ii libnspr4 2:1.7.5-1 Netscape Portable Runtime Library
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Wed, 09 Feb 2005 15:26:39 -0500
From: "C. Scott Ananian" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-browser: Also filed against firefox

Package: mozilla-browser
Followup-For: Bug #294274

I just filed a corresponding bug against firefox; I didn't see one already
there when I invoked reportbug (it's possible I overlooked it). Anyway,
if anyone's keeping track, it's debian bug #294439.
 --scott

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages mozilla-browser depends on:
ii debconf 1.4.45 Debian configuration management sy
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.6.2-2 The GTK+ graphical user interface
ii libnspr4 2:1.7.5-1 Netscape Portable Runtime Library
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime

Revision history for this message
Martin Pitt (pitti) wrote :

I think this bug deserves some wider discussion. It exists because FireFox
precisely does what it is supposed to do, this issue is a design bug of IDN itself.

So the question is where to go from here: IIRC Mozilla will disable IDN again in
the following point releases, which is a quick, brute, and western-oriented
decision, however, it is certainly justifyable. The other extreme is to do
nothing and claim that this is not a bug.

As a compromise, punycode URLs would somehow be marked with a different color in
the address bar. Thom, do you have any idea how difficult this would be to
implement?

Revision history for this message
Thom May (thombot) wrote :

(In reply to comment #6)
> I think this bug deserves some wider discussion. It exists because FireFox
> precisely does what it is supposed to do, this issue is a design bug of IDN
 itself.
>
 Indeed. Turning off IDN entirely is not an option, IMO.

> So the question is where to go from here: IIRC Mozilla will disable IDN again in
> the following point releases, which is a quick, brute, and western-oriented
> decision, however, it is certainly justifyable. The other extreme is to do
> nothing and claim that this is not a bug.
>
No, firefox 1.0.1 has just had a rethink on this while they try and come up
with a reasonable solution that doesn't suck:
they're going to show the urls as Punycode in the status bar and so on, eg
www.xn--pypal-4ve.com for the shmoo tests.
I think this is a pretty reasonable compromise. I'll add this patch to our
firefox builds soon.

Revision history for this message
In , Takuo KITAME (kitame) wrote : Bug#294274: fixed in mozilla 2:1.7.6-1
Download full text (6.8 KiB)

Source: mozilla
Source-Version: 2:1.7.6-1

We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:

libnspr-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnspr-dev_1.7.6-1_i386.deb
libnspr4_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnspr4_1.7.6-1_i386.deb
libnss-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnss-dev_1.7.6-1_i386.deb
libnss3_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnss3_1.7.6-1_i386.deb
mozilla-browser_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-browser_1.7.6-1_i386.deb
mozilla-calendar_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-calendar_1.7.6-1_i386.deb
mozilla-chatzilla_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-chatzilla_1.7.6-1_i386.deb
mozilla-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-dev_1.7.6-1_i386.deb
mozilla-dom-inspector_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-dom-inspector_1.7.6-1_i386.deb
mozilla-js-debugger_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-js-debugger_1.7.6-1_i386.deb
mozilla-mailnews_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-mailnews_1.7.6-1_i386.deb
mozilla-psm_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-psm_1.7.6-1_i386.deb
mozilla_1.7.6-1.diff.gz
  to pool/main/m/mozilla/mozilla_1.7.6-1.diff.gz
mozilla_1.7.6-1.dsc
  to pool/main/m/mozilla/mozilla_1.7.6-1.dsc
mozilla_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla_1.7.6-1_i386.deb
mozilla_1.7.6.orig.tar.gz
  to pool/main/m/mozilla/mozilla_1.7.6.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Takuo KITAME <email address hidden> (supplier of updated mozilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 Mar 2005 01:34:42 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Takuo KITAME <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 moz...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (7.0 KiB)

Message-Id: <email address hidden>
Date: Wed, 23 Mar 2005 13:32:24 -0500
From: Takuo KITAME <email address hidden>
To: <email address hidden>
Subject: Bug#294274: fixed in mozilla 2:1.7.6-1

Source: mozilla
Source-Version: 2:1.7.6-1

We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:

libnspr-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnspr-dev_1.7.6-1_i386.deb
libnspr4_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnspr4_1.7.6-1_i386.deb
libnss-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnss-dev_1.7.6-1_i386.deb
libnss3_1.7.6-1_i386.deb
  to pool/main/m/mozilla/libnss3_1.7.6-1_i386.deb
mozilla-browser_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-browser_1.7.6-1_i386.deb
mozilla-calendar_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-calendar_1.7.6-1_i386.deb
mozilla-chatzilla_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-chatzilla_1.7.6-1_i386.deb
mozilla-dev_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-dev_1.7.6-1_i386.deb
mozilla-dom-inspector_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-dom-inspector_1.7.6-1_i386.deb
mozilla-js-debugger_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-js-debugger_1.7.6-1_i386.deb
mozilla-mailnews_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-mailnews_1.7.6-1_i386.deb
mozilla-psm_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla-psm_1.7.6-1_i386.deb
mozilla_1.7.6-1.diff.gz
  to pool/main/m/mozilla/mozilla_1.7.6-1.diff.gz
mozilla_1.7.6-1.dsc
  to pool/main/m/mozilla/mozilla_1.7.6-1.dsc
mozilla_1.7.6-1_i386.deb
  to pool/main/m/mozilla/mozilla_1.7.6-1_i386.deb
mozilla_1.7.6.orig.tar.gz
  to pool/main/m/mozilla/mozilla_1.7.6.orig.tar.gz

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Takuo KITAME <email address hidden> (supplier of updated mozilla package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 Mar 2005 01:34:42 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Takuo KITAME <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla...

Read more...

Revision history for this message
Thom May (thombot) wrote :

 mozilla (2:1.7.6-1ubuntu1) hoary; urgency=low
 .
   * Resynchronise with Debian.
     - CAN-2004-1316: DOS due to Heap-based buffer overflow in
       MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp (Ubuntu: #5211)
     - CAN-2005-0233: IDN support allows domainname spoofing (Ubuntu: #6319)

Revision history for this message
Uphaar Agrawalla (uphaar) wrote :

*** Bug 12612 has been marked as a duplicate of this bug. ***

Revision history for this message
Fabio Massimo Di Nitto (fabbione) wrote :

this should have been closed eons ago.

Revision history for this message
Daniel Robitaille (robitaille) wrote :

Fixed in Debian in March 2005

Changed in mozilla:
status: Unconfirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in mozilla:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.