Debian
epiphany-browser package

epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow?

Bug #21268 reported by Debian Bug Importer
This bug report is a duplicate of:  Bug #21308: security issue revealed: CAN-2005-2871. Edit Remove
10
Affects Status Importance Assigned to Milestone
epiphany-browser (Debian)
Fix Released
Unknown
epiphany-browser (Ubuntu)
Invalid
High
Sebastien Bacher

Bug Description

Automatically imported from Debian bug report #327366 http://bugs.debian.org/327366

Revision history for this message
Sebastien Bacher (seb128) wrote :

Martin, I'll fix that one (firefox CAN-2005-2871) if you are not on it. Let me
know to not duplicate work :)

Revision history for this message
Sebastien Bacher (seb128) wrote :

This bug has been marked as a duplicate of bug 21308.

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (3.9 KiB)

Message-Id: <E1EDl94-0006pM-Ny@localhost>
Date: Fri, 09 Sep 2005 16:50:30 +0100
From: Sam Morris <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow?

Package: epiphany-browser
Version: 1.6.5-1
Severity: grave
Tags: security
Justification: user security hole

>From <http://lwn.net/Articles/150999/>:

A buffer overflow vulnerability exists within Firefox version 1.0.6 and
all other prior versions which allows for an attacker to remotely execute
arbitrary code on an affected host.

The problem seems to be when a hostname which has all dashes causes the
NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true,
but is sets encHost to an empty string.

On my system, attempting to load the example URL causes Epiphany to freeze:
<http://www.security-protocols.com/firefox-death.html>

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (530, 'testing'), (520, 'unstable'), (510, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages epiphany-browser depends on:
ii dbus-1 0.23.4-1 simple interprocess messaging syst
ii dbus-glib-1 0.23.4-1 simple interprocess messaging syst
ii debconf 1.4.30.13 Debian configuration management sy
ii gconf2 2.10.1-1 GNOME configuration database syste
ii gnome-icon-theme 2.10.1-2 GNOME Desktop icon theme
ii iso-codes 0.44-1 ISO language, territory, currency
ii libart-2.0-2 2.3.17-1 Library of functions for 2D graphi
ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit
ii libbonobo2-0 2.8.1-2 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.10.0-1 The Bonobo UI library
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libgcc1 1:4.0.1-6 GCC support library
ii libgconf2-4 2.10.1-1 GNOME configuration database syste
ii libglade2-0 1:2.5.1-2 library to load .glade files at ru
ii libglib2.0-0 2.8.0-1 The GLib library of C routines
ii libgnome-desktop-2 2.10.2-1 Utility library for loading .deskt
ii libgnome2-0 2.10.1-1 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.10.2-2 A powerful object-oriented display
ii libgnomeui-0 2.10.1-1 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.10.1-5 The GNOME virtual file-system libr
ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface
ii libice6 4.3.0.dfsg.1-14 Inter-Client Exchange library
ii liborbit2 1:2.12.2-1 libraries for ORBit2 - a CORBA ORB
ii libpango1.0-0 1.8.2-1 Layout and rendering of internatio
ii libpopt0 1.7-5 lib for parsing cmdline parameters
ii libsm6 4.3.0.dfsg.1-...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 12 Sep 2005 21:56:44 +0200
From: Jordi Mallach <email address hidden>
To: <email address hidden>
Subject: mozilla security

--sdtB3X0nJg68CQEu
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

reassign 327366 mozilla
thanks

--=20
Jordi Mallach P=E9rez -- Debian developer http://www.debian.org/
<email address hidden> <email address hidden> http://www.sindominio.net/
GnuPG public key information available at http://oskuro.net/

--sdtB3X0nJg68CQEu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDJd18JYSUupF6Il4RAtAZAJ9cL2trXjuoRbgIngGWz2lfQ5B3HwCg7j4a
bsb9wa5mvf3d7/5SayoQSFk=
=2Td3
-----END PGP SIGNATURE-----

--sdtB3X0nJg68CQEu--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Mon, 26 Sep 2005 10:53:07 +0200
From: =?iso-8859-1?Q?Lo=EFc?= Minier <email address hidden>
To: Sam Morris <email address hidden>, <email address hidden>,
 <email address hidden>
Subject: Re: Bug#327366: epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow?

tags 327366 + upstream fixed-upstream patch
severity 327366 critical
merge 327366 327455
retitle 327366 [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57]
thanks

        Hi,

On Fri, Sep 09, 2005, Sam Morris wrote:
> A buffer overflow vulnerability exists within Firefox version 1.0.6 and=
 =20
> all other prior versions which allows for an attacker to remotely execu=
 te=20
> arbitrary code on an affected host.

 When reporting bugs against Epiphany or Galeon, please check whether
 Mozilla, their engine, is affected. In the future, the engine of these
 browsers might switch from Mozilla to Firefox though.

> The problem seems to be when a hostname which has all dashes causes the=
=20
> NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true,=
=20
> but is sets encHost to an empty string.

 This is "fixed" in Mozilla 1.7.12 by disabling IDN and/or installing a
 patch as explained at:
    <https://addons.mozilla.org/messages/307259.html>

   Bye,

--=20
Lo=EFc Minier <email address hidden>

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.1 KiB)

Message-Id: <email address hidden>
Date: Sun, 09 Oct 2005 13:32:45 -0700
From: Alexander Sack <email address hidden>
To: <email address hidden>
Cc: Alexander Sack <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of mozilla 2:1.7.12-1

tag 318723 + fixed
tag 321644 + fixed
tag 325532 + fixed
tag 327366 + fixed
tag 327455 + fixed
tag 329778 + fixed
tag 332480 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 6 Oct 2005 23:48:00 +0200
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.12-1
Distribution: unstable
Urgency: high
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
 mozilla-js-debugger - JavaScript debugger for use with Mozilla
 mozilla-mailnews - The Mozilla Internet application suite - mail and news support
 mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 318723 321644 325532 327366 327455 329778 332480
Changes:
 mozilla (2:1.7.12-1) unstable; urgency=high
 .
   * NMU: fixing several security issues and most important RC bugs.
     (Closes: 332480)
   * new upstream version 1.7.12 fixes:
     + [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57] (Closes: 327366)
     + security issue revealed: CAN-2005-2871 (Closes: 327455)
     + mozilla: Multiple security issues fixed in 1.7.12 (Closes: 329778)
     + javascript crasher - unsure about this ... have to test.
       (Closes: 318723)
     + mozilla 1.7.10 version crashes almost immediately (Closes: 321644)
   * applied patch by Steve Langasek <email address hidden> to make mozilla
     build on arm and other archs. (Closes: 325532)
Files:
 766dea59ec7f68b837ea0d42fd5a4188 1093 web optional mozilla_1.7.12-1.dsc
 6b5e421f09fef73ad972c8f6d7f7137b 30586755 web optional mozilla_1.7.12.orig.tar.gz
 0f7b83c1b25d5a6e3811c5d5add782ed 325638 web optional mozilla_1.7.12-1.diff.gz
 ad6d45717329823d52b98a7a5c9436ca 1022 web optional mozilla_1.7.12-1_i386.deb
 79c50292a9d41f7804c6b122d5989eec 9385338 web optional mozilla-browser_1.7.12-1_i386.deb
 d5b7b50bc5dd19ab8e8dc64aa05c12e9 3588608 devel optional mozilla-dev_1.7.12-1_i386.deb
 fdb59d0a9868df3d9bbaf72f3e997fab 1722632 mail ...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.8 KiB)

Message-Id: <email address hidden>
Date: Sat, 12 Nov 2005 01:03:12 -0800
From: Alexander Sack <email address hidden>
To: <email address hidden>
Cc: Alexander Sack <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of mozilla 2:1.7.8-1sarge3

tag 321427 + fixed
tag 327366 + fixed
tag 329778 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
 mozilla-js-debugger - JavaScript debugger for use with Mozilla
 mozilla-mailnews - The Mozilla Internet application suite - mail and news support
 mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes:
 mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
 .
   * MFSA-2005-56a.debian: Regressions introduced by mozilla 1.7.9.
     Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
       advisory for it (debian/patches/001_mfsa_2005-56a.patch)
     Closes: 321427
     Bugzilla: 294307 301917 300749
     Issues addressed:
       + Regressions introduced by mozilla 1.7.9 bugfix.
   * MFSA-2005-57: IDN heap overrun
     Summary: Tom Ferris reported a Firefox crash when processing a domain
       name consisting solely of soft-hyphen characters.
       (debian/patches/001_mfsa-2005-57.patch)
     Closes: 327366
     CVE-Ids: CAN-2005-2871
     Bugzilla: 307259 308281
     Issues addressed:
       + CAN-2005-2871 - IDN heap overrun
   * MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
     Summary: Fixes for multiple vulnerabilities with an overall severity
       of "critical" have been released in Mozilla Firefox 1.0.7 and
       the Mozilla Suite 1.7.12 (debian/patches/001_mfsa-2005-58.patch)
     Closes: 329778
     CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
       CAN-2005-2705 CAN-2005-2706 CAN-2005-2707
     Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
        306804 291178 300853 301180 302...

Read more...

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (5.8 KiB)

Message-Id: <email address hidden>
Date: Fri, 16 Dec 2005 21:34:34 -0800
From: Alexander Sack <email address hidden>
To: <email address hidden>
Cc: Alexander Sack <email address hidden>, Takuo KITAME <email address hidden>
Subject: Fixed in NMU of mozilla 2:1.7.8-1sarge3

tag 321427 + fixed
tag 327366 + fixed
tag 329778 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 27 Sep 2005 13:00:00 +0100
Source: mozilla
Binary: mozilla mozilla-calendar mozilla-dom-inspector libnspr4 mozilla-js-debugger mozilla-browser libnss3 libnspr-dev mozilla-chatzilla mozilla-psm mozilla-mailnews libnss-dev mozilla-dev
Architecture: source i386
Version: 2:1.7.8-1sarge3
Distribution: stable-security
Urgency: critical
Maintainer: Takuo KITAME <email address hidden>
Changed-By: Alexander Sack <email address hidden>
Description:
 libnspr-dev - Netscape Portable Runtime library - development files
 libnspr4 - Netscape Portable Runtime Library
 libnss-dev - Network Security Service Libraries - development
 libnss3 - Network Security Service Libraries - runtime
 mozilla - The Mozilla Internet application suite - meta package
 mozilla-browser - The Mozilla Internet application suite - core and browser
 mozilla-calendar - Todo organizer,calendar and reminder,integrated with Mozilla suit
 mozilla-chatzilla - Mozilla Web Browser - irc client
 mozilla-dev - The Mozilla Internet application suite - development files
 mozilla-dom-inspector - A tool for inspecting the DOM of pages in Mozilla.
 mozilla-js-debugger - JavaScript debugger for use with Mozilla
 mozilla-mailnews - The Mozilla Internet application suite - mail and news support
 mozilla-psm - The Mozilla Internet application suite - Personal Security Manage
Closes: 321427 327366 329778
Changes:
 mozilla (2:1.7.8-1sarge3) stable-security; urgency=critical
 .
   * MFSA-2005-56a.debian: Regressions introduced by mozilla 1.7.9.
     Summary: Regressions introduced by mozilla 1.7.9 bugfix. There was no
       advisory for it (debian/patches/001_mfsa_2005-56a.patch)
     Closes: 321427
     Bugzilla: 294307 301917 300749
     Issues addressed:
       + Regressions introduced by mozilla 1.7.9 bugfix.
   * MFSA-2005-57: IDN heap overrun
     Summary: Tom Ferris reported a Firefox crash when processing a domain
       name consisting solely of soft-hyphen characters.
       (debian/patches/001_mfsa-2005-57.patch)
     Closes: 327366
     CVE-Ids: CAN-2005-2871
     Bugzilla: 307259 308281
     Issues addressed:
       + CAN-2005-2871 - IDN heap overrun
   * MFSA-2005-58: Accumulated vendor advisory for multiple vulnerabilities
     Summary: Fixes for multiple vulnerabilities with an overall severity
       of "critical" have been released in Mozilla Firefox 1.0.7 and
       the Mozilla Suite 1.7.12 (debian/patches/001_mfsa-2005-58.patch)
     Closes: 329778
     CVE-Ids: CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704
       CAN-2005-2705 CAN-2005-2706 CAN-2005-2707
     Bugzilla: 300936 296134 297078 302263 299518 303213 304754 306261
        306804 291178 300853 301180 302...

Read more...

Bug Watch Updater (bug-watch-updater)
Changed in epiphany-browser:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.