[warty] IDN support allows domain name spoofing
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mozilla (Debian) |
Fix Released
|
Unknown
|
|||
mozilla (Ubuntu) |
Fix Released
|
High
|
Thom May |
Bug Description
Automatically imported from Debian bug report #294274 http://
In Debian Bug tracker #294274, Mike Hommey (mh-glandium) wrote : Upgrading to RC | #1 |
In Debian Bug tracker #294274, Mike Hommey (mh-glandium) wrote : | #2 |
> As discussed on #d-d, these bugs should be RC. (The firefox one is
> already RC)
Note to self: don't do stuff while tired.
So let's go for a more detailed justification.
IDN is widely broken due to the fact that registrars don't do their job.
But it's not widely used, first reason being that IE doesn't support it
without a plugin.
Considering that a Debian release is usually due to last quite long,
keeping something unused and dangerous in a release is insane.
You might want to disable it totally or provide a way to enable it with
a runtime option or something if the user really wants it. That's the
safest fix.
Mike
Debian Bug Importer (debzilla) wrote : | #3 |
Automatically imported from Debian bug report #294274 http://
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 16:08:03 -0500
From: Joey Hess <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: IDN support allows domain name spoofing
--zYM0uCDKw75PZbzx
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: mozilla-browser
Version: 2:1.7.5-1
Severity: normal
Tags: security
Epiphany and other browsers which support IDN are vulnerable to domain
spoofing via homograph characters in domain names. Please see
http://
for details, and note that this is CAN-2005-0233.
This bug is filed upstream:
https:/
Note: I have not marked this bug as releae critical, because it's not
clear to me if spoofing attacks qualify.
--=20
see shy jo
--zYM0uCDKw75PZbzx
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCCSozd8H
ZRyMwPcMCttI8VK
=APHS
-----END PGP SIGNATURE-----
--zYM0uCDKw75PZ
Debian Bug Importer (debzilla) wrote : | #5 |
Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 00:02:46 +0100
From: Mike Hommey <email address hidden>
To: <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Upgrading to RC
severity 294274 grave
severity 294271 grave
thanks
As discussed on #d-d, these bugs should be RC. (The firefox one is
already RC)
Mike
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 00:41:14 +0100
From: Mike Hommey <email address hidden>
To: <email address hidden>, <email address hidden>
Subject: Re: Upgrading to RC
> As discussed on #d-d, these bugs should be RC. (The firefox one is
> already RC)
Note to self: don't do stuff while tired.
So let's go for a more detailed justification.
IDN is widely broken due to the fact that registrars don't do their job.
But it's not widely used, first reason being that IE doesn't support it
without a plugin.
Considering that a Debian release is usually due to last quite long,
keeping something unused and dangerous in a release is insane.
You might want to disable it totally or provide a way to enable it with
a runtime option or something if the user really wants it. That's the
safest fix.
Mike
In Debian Bug tracker #294274, Chris Cheney (ccheney-cheney) wrote : Re: Bug#294271: Upgrading to RC | #7 |
Precisely due to the fact that Debian releases are so seldom do you
think Microsoft won't add IDN support to IE7 in Longhorn next year? If
they do Debian won't be able to access the many sites that will pop up
soon after IE adds official support. Perhaps the release team/stable
release manager needs to have a position on later recompiling the
browsers for stable to support IDN if/when it becomes widely used.
Chris
On Wed, Feb 09, 2005 at 12:41:14AM +0100, Mike Hommey wrote:
> > As discussed on #d-d, these bugs should be RC. (The firefox one is
> > already RC)
>
> Note to self: don't do stuff while tired.
>
> So let's go for a more detailed justification.
>
> IDN is widely broken due to the fact that registrars don't do their job.
> But it's not widely used, first reason being that IE doesn't support it
> without a plugin.
> Considering that a Debian release is usually due to last quite long,
> keeping something unused and dangerous in a release is insane.
> You might want to disable it totally or provide a way to enable it with
> a runtime option or something if the user really wants it. That's the
> safest fix.
>
> Mike
Debian Bug Importer (debzilla) wrote : | #8 |
Message-ID: <email address hidden>
Date: Tue, 8 Feb 2005 22:48:31 -0600
From: Chris Cheney <email address hidden>
To: Mike Hommey <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#294271: Upgrading to RC
Precisely due to the fact that Debian releases are so seldom do you
think Microsoft won't add IDN support to IE7 in Longhorn next year? If
they do Debian won't be able to access the many sites that will pop up
soon after IE adds official support. Perhaps the release team/stable
release manager needs to have a position on later recompiling the
browsers for stable to support IDN if/when it becomes widely used.
Chris
On Wed, Feb 09, 2005 at 12:41:14AM +0100, Mike Hommey wrote:
> > As discussed on #d-d, these bugs should be RC. (The firefox one is
> > already RC)
>
> Note to self: don't do stuff while tired.
>
> So let's go for a more detailed justification.
>
> IDN is widely broken due to the fact that registrars don't do their job.
> But it's not widely used, first reason being that IE doesn't support it
> without a plugin.
> Considering that a Debian release is usually due to last quite long,
> keeping something unused and dangerous in a release is insane.
> You might want to disable it totally or provide a way to enable it with
> a runtime option or something if the user really wants it. That's the
> safest fix.
>
> Mike
In Debian Bug tracker #294274, C. Scott Ananian (cananian) wrote : mozilla-browser: Also filed against firefox | #9 |
Package: mozilla-browser
Followup-For: Bug #294274
I just filed a corresponding bug against firefox; I didn't see one already
there when I invoked reportbug (it's possible I overlooked it). Anyway,
if anyone's keeping track, it's debian bug #294439.
--scott
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=
Versions of packages mozilla-browser depends on:
ii debconf 1.4.45 Debian configuration management sy
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.6.2-2 The GTK+ graphical user interface
ii libnspr4 2:1.7.5-1 Netscape Portable Runtime Library
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
Debian Bug Importer (debzilla) wrote : | #10 |
Message-Id: <email address hidden>
Date: Wed, 09 Feb 2005 15:26:39 -0500
From: "C. Scott Ananian" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-browser: Also filed against firefox
Package: mozilla-browser
Followup-For: Bug #294274
I just filed a corresponding bug against firefox; I didn't see one already
there when I invoked reportbug (it's possible I overlooked it). Anyway,
if anyone's keeping track, it's debian bug #294439.
--scott
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=C, LC_CTYPE=C (charmap=
Versions of packages mozilla-browser depends on:
ii debconf 1.4.45 Debian configuration management sy
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-9 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.6.2-2 The GTK+ graphical user interface
ii libnspr4 2:1.7.5-1 Netscape Portable Runtime Library
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension
ii libxrender1 0.8.3-7 X Rendering Extension client libra
ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
Martin Pitt (pitti) wrote : | #11 |
I think this bug deserves some wider discussion. It exists because FireFox
precisely does what it is supposed to do, this issue is a design bug of IDN itself.
So the question is where to go from here: IIRC Mozilla will disable IDN again in
the following point releases, which is a quick, brute, and western-oriented
decision, however, it is certainly justifyable. The other extreme is to do
nothing and claim that this is not a bug.
As a compromise, punycode URLs would somehow be marked with a different color in
the address bar. Thom, do you have any idea how difficult this would be to
implement?
Thom May (thombot) wrote : | #12 |
(In reply to comment #6)
> I think this bug deserves some wider discussion. It exists because FireFox
> precisely does what it is supposed to do, this issue is a design bug of IDN
itself.
>
Indeed. Turning off IDN entirely is not an option, IMO.
> So the question is where to go from here: IIRC Mozilla will disable IDN again in
> the following point releases, which is a quick, brute, and western-oriented
> decision, however, it is certainly justifyable. The other extreme is to do
> nothing and claim that this is not a bug.
>
No, firefox 1.0.1 has just had a rethink on this while they try and come up
with a reasonable solution that doesn't suck:
they're going to show the urls as Punycode in the status bar and so on, eg
www.xn-
I think this is a pretty reasonable compromise. I'll add this patch to our
firefox builds soon.
In Debian Bug tracker #294274, Takuo KITAME (kitame) wrote : Bug#294274: fixed in mozilla 2:1.7.6-1 | #13 |
Source: mozilla
Source-Version: 2:1.7.6-1
We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:
libnspr-
to pool/main/
libnspr4_
to pool/main/
libnss-
to pool/main/
libnss3_
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla_
to pool/main/
mozilla_1.7.6-1.dsc
to pool/main/
mozilla_
to pool/main/
mozilla_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Takuo KITAME <email address hidden> (supplier of updated mozilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 Mar 2005 01:34:42 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Takuo KITAME <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
mozilla-chatzilla - Mozilla Web Browser - irc client
mozilla-dev - The Mozilla Internet application suite - development files
moz...
Debian Bug Importer (debzilla) wrote : | #14 |
Message-Id: <email address hidden>
Date: Wed, 23 Mar 2005 13:32:24 -0500
From: Takuo KITAME <email address hidden>
To: <email address hidden>
Subject: Bug#294274: fixed in mozilla 2:1.7.6-1
Source: mozilla
Source-Version: 2:1.7.6-1
We believe that the bug you reported is fixed in the latest version of
mozilla, which is due to be installed in the Debian FTP archive:
libnspr-
to pool/main/
libnspr4_
to pool/main/
libnss-
to pool/main/
libnss3_
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla_
to pool/main/
mozilla_1.7.6-1.dsc
to pool/main/
mozilla_
to pool/main/
mozilla_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Takuo KITAME <email address hidden> (supplier of updated mozilla package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 Mar 2005 01:34:42 +0900
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-
Architecture: source i386
Version: 2:1.7.6-1
Distribution: unstable
Urgency: low
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Takuo KITAME <email address hidden>
Description:
libnspr-dev - Netscape Portable Runtime library - development files
libnspr4 - Netscape Portable Runtime Library
libnss-dev - Network Security Service Libraries - development
libnss3 - Network Security Service Libraries - runtime
mozilla - The Mozilla Internet application suite - meta package
mozilla-browser - The Mozilla Internet application suite - core and browser
mozilla...
Thom May (thombot) wrote : | #15 |
mozilla (2:1.7.6-1ubuntu1) hoary; urgency=low
.
* Resynchronise with Debian.
- CAN-2004-1316: DOS due to Heap-based buffer overflow in
- CAN-2005-0233: IDN support allows domainname spoofing (Ubuntu: #6319)
Uphaar Agrawalla (uphaar) wrote : | #16 |
*** Bug 12612 has been marked as a duplicate of this bug. ***
Fabio Massimo Di Nitto (fabbione) wrote : | #17 |
this should have been closed eons ago.
Daniel Robitaille (robitaille) wrote : | #18 |
Fixed in Debian in March 2005
Changed in mozilla: | |
status: | Unconfirmed → Fix Released |
Changed in mozilla: | |
status: | Unknown → Fix Released |
severity 294274 grave
severity 294271 grave
thanks
As discussed on #d-d, these bugs should be RC. (The firefox one is
already RC)
Mike