Ubuntu
firefox package

mozilla-firefox: [CAN-2004-0764] User interface hijackable

Bug #7289 reported by Debian Bug Importer
6
Affects Status Importance Assigned to Milestone
firefox (Debian)
Fix Released
Unknown
firefox (Ubuntu)
Fix Released
High
Thom May

Bug Description

Automatically imported from Debian bug report #263196 http://bugs.debian.org/263196

See original description

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #263196 http://bugs.debian.org/263196

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Tue, 03 Aug 2004 12:06:58 +0200
From: "J.H.M. Dassen \(Ray\)" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: mozilla-firefox: [CAN-2004-0764] User interface hijackable

Package: mozilla-firefox
Version: 0.8-12
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 :

+-----------------------------------------------------------------------------+
| Name | CAN-2004-0764 (under review) |
|-------------+---------------------------------------------------------------|
| | Mozilla before 1.7, Firefox before 0.9, and Thunderbird |
| Description | before 0.7, allow remote web sites to hijack the user |
| | interface via the "chrome" flag and XML User Interface |
| | Language (XUL) files. |
|-------------+---------------------------------------------------------------|
| | * MISC:http://secunia.com/advisories/12160/ |
| | * CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id= |
| References | 244965 |
| | * CONFIRM:http://www.mozilla.org/projects/security/ |
| | known-vulnerabilities.html#mozilla1.7 |
|-------------+---------------------------------------------------------------|

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (800, 'unstable'), (750, 'experimental'), (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.27-rc2
Locale: LANG=C, LC_CTYPE=en_US.ISO8859-1

Revision history for this message
In , Eric Dorland (eric-debian) wrote : Re: Bug#263196: mozilla-firefox: [CAN-2004-0764] User interface hijackable

tags 263196 + sarge
thanks

This should be marked sarge.

* J.H.M. Dassen (Ray) (<email address hidden>) wrote:
> Package: mozilla-firefox
> Version: 0.8-12
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 :
>
> +-----------------------------------------------------------------------------+
> | Name | CAN-2004-0764 (under review) |
> |-------------+---------------------------------------------------------------|
> | | Mozilla before 1.7, Firefox before 0.9, and Thunderbird |
> | Description | before 0.7, allow remote web sites to hijack the user |
> | | interface via the "chrome" flag and XML User Interface |
> | | Language (XUL) files. |
> |-------------+---------------------------------------------------------------|
> | | * MISC:http://secunia.com/advisories/12160/ |
> | | * CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id= |
> | References | 244965 |
> | | * CONFIRM:http://www.mozilla.org/projects/security/ |
> | | known-vulnerabilities.html#mozilla1.7 |
> |-------------+---------------------------------------------------------------|

--
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+
G e h! r- y+
------END GEEK CODE BLOCK------

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Wed, 4 Aug 2004 20:15:36 -0400
From: Eric Dorland <email address hidden>
To: "J.H.M. Dassen (Ray)" <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#263196: mozilla-firefox: [CAN-2004-0764] User interface hijackable

--SWTRyWv/ijrBap1m
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 263196 + sarge
thanks

This should be marked sarge.=20

* J.H.M. Dassen (Ray) (<email address hidden>) wrote:
> Package: mozilla-firefox
> Version: 0.8-12
> Severity: grave
> Tags: security upstream fixed-upstream
> Justification: user security hole
>=20
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2004-0764 :
>=20
> +------------------------------------------------------------------------=
 -----+
> | Name | CAN-2004-0764 (under review) =
      |
> |-------------+----------------------------------------------------------=
 -----|
> | | Mozilla before 1.7, Firefox before 0.9, and Thunderbird =
      |
> | Description | before 0.7, allow remote web sites to hijack the user =
      |
> | | interface via the "chrome" flag and XML User Interface =
      |
> | | Language (XUL) files. =
      |
> |-------------+----------------------------------------------------------=
 -----|
> | | * MISC:http://secunia.com/advisories/12160/ =
      |
> | | * CONFIRM:http://bugzilla.mozilla.org/show_bug.cgi?id=
 =3D |
> | References | 244965 =
      |
> | | * CONFIRM:http://www.mozilla.org/projects/security/ =
      |
> | | known-vulnerabilities.html#mozilla1.7 =
      |
> |-------------+----------------------------------------------------------=
 -----|

--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--SWTRyWv/ijrBap1m
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBEXwoYemOzxbZcMYRAiUxAKDLPrZ+4/FKobOKnbsxSn5rGDyhrQCeLzsU
AODlwrqOSpcgeTdqSN/QUiA=
=Csw4
-----END PGP SIGNATURE-----

--SWTRyWv/ijrBap1m--

Revision history for this message
In , Mike Hommey (mh-glandium) wrote : Closing these bugs for transition purpose.

As suggested by Steve Langasek, I'm closing these RC bugs tagged sarge
so that transition from sid can happen without them being blocking.

Mike

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 24 Aug 2004 16:46:37 +0900
From: Mike Hommey <email address hidden>
To: <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Closing these bugs for transition purpose.

As suggested by Steve Langasek, I'm closing these RC bugs tagged sarge
so that transition from sid can happen without them being blocking.

Mike

Revision history for this message
In , Jeroen van Wolffelaar (jeroenvw) wrote :

# Reopening as per discussion with RMs: this isn't the issue, and
# closing these bugs don't help
reopen 261743
reopen 263190
reopen 263192
reopen 263196
reopen 263199
reopen 265671
thanks

--
Jeroen van Wolffelaar
<email address hidden>
http://jeroen.A-Eskwadraat.nl

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Tue, 24 Aug 2004 23:29:26 +0200
From: Jeroen van Wolffelaar <email address hidden>
To: Mike Hommey <email address hidden>
Cc: <email address hidden>
Subject: Re: Closing these bugs for transition purpose.

# Reopening as per discussion with RMs: this isn't the issue, and
# closing these bugs don't help
reopen 261743
reopen 263190
reopen 263192
reopen 263196
reopen 263199
reopen 265671
thanks

--
Jeroen van Wolffelaar
<email address hidden>
http://jeroen.A-Eskwadraat.nl

Revision history for this message
Thom May (thombot) wrote :

Synced 0.9.3 from unstable

Revision history for this message
In , Eric Dorland (eric-debian) wrote : Close for transition

Close these to allow mozilla-firefox to proceed into testing.

--
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+
G e h! r- y+
------END GEEK CODE BLOCK------

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Thu, 16 Sep 2004 21:59:45 -0400
From: Eric Dorland <email address hidden>
To: <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>,
 <email address hidden>, <email address hidden>
Subject: Close for transition

--0tC/8VcTcTa+VwnR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Close these to allow mozilla-firefox to proceed into testing.=20

--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--0tC/8VcTcTa+VwnR
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBSkURYemOzxbZcMYRAsLpAKDNXMa39R/nfsalce5v8K4iSD1+jwCcCWUH
792ngrB4Jz4m64fOoSJBY/E=
=oFgA
-----END PGP SIGNATURE-----

--0tC/8VcTcTa+VwnR--

Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.