[warty] Two problems in Firefox

Automatically imported from Debian bug report #294415 http://bugs.debian.org/294415

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 12:05:51 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: Re: Two problems in Firefox

--/NkBOFFp2J2Af1nK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: mozilla-firefox
Version: 1.0+dfsg.1-5
Tags: security
Severity: grave

Martin Schulze wrote:
> Please make sure these problems are fixed in the package in sarge.
> When you need to upload a fixed package please add the CVE ids in
> the proper changelog entry.

Let's file a bug for tracking..

> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> Candidate: CAN-2005-0231
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0231
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20050207
> Category: SF
> Reference: BUGTRAQ:20050207 Firetabbing [Firefox 1.0]
> Reference: URL:http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110781134617=
144&w=3D2
> Reference: MISC:http://www.mikx.de/firetabbing/
>=20
> Firefox 1.0 does not invoke the Javascript Security Manager when a
> user drags a javascript: URL to a tab, which could allos remote
> attackers to bypass the security model.
>=20
>=20
>=20
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D
> Candidate: CAN-2005-0232
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-0232
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20050207
> Category: SF
> Reference: BUGTRAQ:20050207 Fireflashing [Firefox 1.0]
> Reference: URL:http://marc.theaimsgroup.com/?l=3Dbugtraq&m=3D110781055630=
856&w=3D2
> Reference: MISC:http://www.mikx.de/fireflashing/
>=20
> Firefox 1.0 allows remote attackers to modify Boolean configuration
> parameters for the about:config site by using a plugin such as Flash,
> and the -moz-opacity filter, to display the about:config site then
> cause the user to double-click at a certain screen position.
>=20
> Regards,
>=20
> Joey
>=20
> --=20
> Open source is important from a technical angle. -- Linus Tor=
valds
>=20

--=20
see shy jo

--/NkBOFFp2J2Af1nK
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCkLud8HHehbQuO8RAgyFAJ9G2PEjr3lm69TLKsXTup3qPhZXYgCff9Xn
f/9HrVbTgcXC7ck8UdCYJ+4=
=bQO5
-----END PGP SIGNATURE-----

--/NkBOFFp2J2Af1nK--

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 19:05:15 +0100
From: Mike Hommey <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#294415: Two problems in Firefox

I guess these will be adressed in the upcoming 1.0.1.

Mike

On Wed, Feb 09, 2005 at 12:05:51PM -0500, Joey Hess <email address hidden> wrote:
> Package: mozilla-firefox
> Version: 1.0+dfsg.1-5
> Tags: security
> Severity: grave
>
> Martin Schulze wrote:
> > Please make sure these problems are fixed in the package in sarge.
> > When you need to upload a fixed package please add the CVE ids in
> > the proper changelog entry.
>
> Let's file a bug for tracking..
>
> > ======================================================
> > Candidate: CAN-2005-0231
> > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231
> > Final-Decision:
> > Interim-Decision:
> > Modified:
> > Proposed:
> > Assigned: 20050207
> > Category: SF
> > Reference: BUGTRAQ:20050207 Firetabbing [Firefox 1.0]
> > Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110781134617144&w=2
> > Reference: MISC:http://www.mikx.de/firetabbing/
> >
> > Firefox 1.0 does not invoke the Javascript Security Manager when a
> > user drags a javascript: URL to a tab, which could allos remote
> > attackers to bypass the security model.
> >
> >
> >
> > ======================================================
> > Candidate: CAN-2005-0232
> > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232
> > Final-Decision:
> > Interim-Decision:
> > Modified:
> > Proposed:
> > Assigned: 20050207
> > Category: SF
> > Reference: BUGTRAQ:20050207 Fireflashing [Firefox 1.0]
> > Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110781055630856&w=2
> > Reference: MISC:http://www.mikx.de/fireflashing/
> >
> > Firefox 1.0 allows remote attackers to modify Boolean configuration
> > parameters for the about:config site by using a plugin such as Flash,
> > and the -moz-opacity filter, to display the about:config site then
> > cause the user to double-click at a certain screen position.
> >
> > Regards,
> >
> > Joey
> >
> > --
> > Open source is important from a technical angle. -- Linus Torvalds
> >
>
> --
> see shy jo

Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 13:52:52 -0500
From: Eric Dorland <email address hidden>
To: Mike Hommey <email address hidden>, <email address hidden>
Cc: Joey Hess <email address hidden>
Subject: Re: Bug#294415: Two problems in Firefox

--nqkreNcslJAfgyzk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Mike Hommey (<email address hidden>) wrote:
> I guess these will be adressed in the upcoming 1.0.1.

I'm sure they will be, but when are they going to release it?? These
bugs have been fixed in:

https://bugzilla.mozilla.org/show_bug.cgi?id=3D280056
https://bugzilla.mozilla.org/show_bug.cgi?id=3D280664

I'm going to roll a new firefox with those patches tonight.=20

--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--nqkreNcslJAfgyzk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCClwEYemOzxbZcMYRAgaNAKCN4uo3FwE4jW8rIBaiQ2Kczr92SACfRx0v
vtlENca3tFESkQV/knmcfPE=
=1sin
-----END PGP SIGNATURE-----

--nqkreNcslJAfgyzk--

Message-Id: <email address hidden>
Date: Thu, 10 Feb 2005 01:47:39 -0500
From: Eric Dorland <email address hidden>
To: <email address hidden>
Subject: Bug#294415: fixed in mozilla-firefox 1.0+dfsg.1-6

Source: mozilla-firefox
Source-Version: 1.0+dfsg.1-6

We believe that the bug you reported is fixed in the latest version of
mozilla-firefox, which is due to be installed in the Debian FTP archive:

mozilla-firefox-dom-inspector_1.0+dfsg.1-6_i386.deb
  to pool/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0+dfsg.1-6_i386.deb
mozilla-firefox-gnome-support_1.0+dfsg.1-6_i386.deb
  to pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0+dfsg.1-6_i386.deb
mozilla-firefox_1.0+dfsg.1-6.diff.gz
  to pool/main/m/mozilla-firefox/mozilla-firefox_1.0+dfsg.1-6.diff.gz
mozilla-firefox_1.0+dfsg.1-6.dsc
  to pool/main/m/mozilla-firefox/mozilla-firefox_1.0+dfsg.1-6.dsc
mozilla-firefox_1.0+dfsg.1-6_i386.deb
  to pool/main/m/mozilla-firefox/mozilla-firefox_1.0+dfsg.1-6_i386.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <email address hidden> (supplier of updated mozilla-firefox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 9 Feb 2005 22:56:17 -0500
Source: mozilla-firefox
Binary: mozilla-firefox mozilla-firefox-gnome-support mozilla-firefox-dom-inspector
Architecture: source i386
Version: 1.0+dfsg.1-6
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
 mozilla-firefox - lightweight web browser based on Mozilla
 mozilla-firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
 mozilla-firefox-gnome-support - Support for Gnome in Mozilla Firefox
Closes: 294127 294415 294415
Changes:
 mozilla-firefox (1.0+dfsg.1-6) unstable; urgency=high
 .
   * The "And I thought IE had security bugs!" release.
   * toolkit/content/widgets/tabbrowser.xml,
     xpfe/global/resources/content/bindings/tabbrowser.xml: Fix
     "Firetabbing" vulnerability from bugzilla#280056, fixes
     CAN-2005-0231. (Closes: #294415)
   * modules/plugin/base/src/nsPluginHostImpl.cpp: Fix "Fireflashing"
     vulnerability from bugzilla#280664, fixes CAN-2005-0232. (Also Closes:
     #294415)
   * build/unix/run-mozilla.sh: Patch from Javier Fern�ez-Sanguino Pe� to fix insecure temp file usage in run-mozilla.sh. (Closes: #294127)
   * netwerk/base/src/nsStandardURL.cpp, netwerk/base/src/nsStandardURL.h:
     Patch from bugzilla#261934 to make the network.enableIDN preference
     work and again.
   * browser/app/profile/firefox.js: Disable IDN by default. This doesn't
     close #293975, but drops its severity.
   * debian/README.Debian: Add warning and ...

Message-ID: <email address hidden>
Date: Thu, 24 Feb 2005 01:56:16 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge

reopen 294415
tags 294415 +sarge
thanks

Message-Id: <email address hidden>
Date: Fri, 25 Feb 2005 14:03:07 +0100
From: Laszlo Boszormenyi <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: security problems are fixed officialy now in 1.0.1

Package: mozilla-firefox
Version: 1.0+dfsg.1-6
Followup-For: Bug #294415

Hi,

 As I see, a new Firefox upstream version is released as 1.0.1[1]. This
release contains the security fixes that the Debian package _may_
already have, but may contain other security fixes. Also, it fixes some
other bugs as well. Please package it.

Regards,
Laszlo/GCS
[1] http://www.mozillazine.org/talkback.html?article=6129
-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-as2
Locale: LANG=en_US, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages mozilla-firefox depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii fontconfig 2.2.3-4 generic font configuration library
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-6 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.4.14-2 The GTK+ graphical user interface
ii libidl0 0.8.3-1 library for parsing CORBA IDL file
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 6.8.1-0.4 X Window System protocol client li
ii libxext6 6.8.1-0.4 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 6.8.1-0.4 X Window System printing extension
ii libxrender1 0.9.0-0.4 X Rendering Extension client libra
ii libxt6 6.8.1-0.4 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 6.8.1-0.4 X Window System client libraries m
ii zlib1g 1:1.2.2-3 compression library - runtime

-- no debconf information

Message-ID: <email address hidden>
Date: Fri, 25 Feb 2005 11:27:04 -0500
From: Eric Dorland <email address hidden>
To: Laszlo Boszormenyi <email address hidden>, <email address hidden>
Subject: Re: Bug#294415: security problems are fixed officialy now in 1.0.1

--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Laszlo Boszormenyi (<email address hidden>) wrote:
> Package: mozilla-firefox
> Version: 1.0+dfsg.1-6
> Followup-For: Bug #294415
>=20
> Hi,
>=20
> As I see, a new Firefox upstream version is released as 1.0.1[1]. This
> release contains the security fixes that the Debian package _may_
> already have, but may contain other security fixes. Also, it fixes some
> other bugs as well. Please package it.

Hmmm, nah, I don't think I'll package it, I don't feel like it.

*Of course* I'm going to package it, what are you, dense? Just because
it's not available the moment upstream releases it doesn't mean I've
lost my mind. Have the slightest bit of patience, please.=20

--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--azLHFNyN32YCQGCU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCH1HYYemOzxbZcMYRAvXRAKCvcmbSxDQ2UXcSEi7LYOupgRcZvgCfWsGN
InJmDAqhFLtn+Kn1YQuSMio=
=6jbD
-----END PGP SIGNATURE-----

--azLHFNyN32YCQGCU--

Message-Id: <email address hidden>
Date: Sat, 26 Feb 2005 00:41:12 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: tagging 294415, closing 294415

# Automatically generated email from bts, devscripts version 2.8.5
tags 294415 - sarge
close 294415

 mozilla-firefox (1.0.1-2ubuntu1) hoary; urgency=low
 .
   * Resynchronise with Debian.
     Security fixes: CAN-2004-1156 - Window Injection Vulnerability
                     CAN-2005-0232 - Fireflashing
                     CAN-2005-0231 - Firetabbing
   * Add patch to render hebrew RtL rather than LtR
   * Add patch to make ',' on the numpad work correctly (Ubuntu: #6301)

Warty was fixed in USN-149-3.