[warty] Two problems in Firefox
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firefox (Debian) |
Fix Released
|
Unknown
|
|||
firefox (Ubuntu) |
Fix Released
|
High
|
Thom May |
Bug Description
Automatically imported from Debian bug report #294415 http://
Debian Bug Importer (debzilla) wrote : | #1 |
Debian Bug Importer (debzilla) wrote : | #2 |
Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 12:05:51 -0500
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: Re: Two problems in Firefox
--/NkBOFFp2J2Af1nK
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Package: mozilla-firefox
Version: 1.0+dfsg.1-5
Tags: security
Severity: grave
Martin Schulze wrote:
> Please make sure these problems are fixed in the package in sarge.
> When you need to upload a fixed package please add the CVE ids in
> the proper changelog entry.
Let's file a bug for tracking..
> =3D=3D=
=3D=3D=
=3D=3D=3D=3D=3D
> Candidate: CAN-2005-0231
> URL: http://
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20050207
> Category: SF
> Reference: BUGTRAQ:20050207 Firetabbing [Firefox 1.0]
> Reference: URL:http://
144&w=3D2
> Reference: MISC:http://
>=20
> Firefox 1.0 does not invoke the Javascript Security Manager when a
> user drags a javascript: URL to a tab, which could allos remote
> attackers to bypass the security model.
>=20
>=20
>=20
> =3D=3D=
=3D=3D=
=3D=3D=3D=3D=3D
> Candidate: CAN-2005-0232
> URL: http://
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20050207
> Category: SF
> Reference: BUGTRAQ:20050207 Fireflashing [Firefox 1.0]
> Reference: URL:http://
856&w=3D2
> Reference: MISC:http://
>=20
> Firefox 1.0 allows remote attackers to modify Boolean configuration
> parameters for the about:config site by using a plugin such as Flash,
> and the -moz-opacity filter, to display the about:config site then
> cause the user to double-click at a certain screen position.
>=20
> Regards,
>=20
> Joey
>=20
> --=20
> Open source is important from a technical angle. -- Linus Tor=
valds
>=20
--=20
see shy jo
--/NkBOFFp2J2Af1nK
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCCkLud8H
f/9HrVbTgcXC7ck
=bQO5
-----END PGP SIGNATURE-----
--/NkBOFFp2J2Af
In Debian Bug tracker #294415, Mike Hommey (mh-glandium) wrote : Re: Bug#294415: Two problems in Firefox | #3 |
I guess these will be adressed in the upcoming 1.0.1.
Mike
On Wed, Feb 09, 2005 at 12:05:51PM -0500, Joey Hess <email address hidden> wrote:
> Package: mozilla-firefox
> Version: 1.0+dfsg.1-5
> Tags: security
> Severity: grave
>
> Martin Schulze wrote:
> > Please make sure these problems are fixed in the package in sarge.
> > When you need to upload a fixed package please add the CVE ids in
> > the proper changelog entry.
>
> Let's file a bug for tracking..
>
> > =======
> > Candidate: CAN-2005-0231
> > URL: http://
> > Final-Decision:
> > Interim-Decision:
> > Modified:
> > Proposed:
> > Assigned: 20050207
> > Category: SF
> > Reference: BUGTRAQ:20050207 Firetabbing [Firefox 1.0]
> > Reference: URL:http://
> > Reference: MISC:http://
> >
> > Firefox 1.0 does not invoke the Javascript Security Manager when a
> > user drags a javascript: URL to a tab, which could allos remote
> > attackers to bypass the security model.
> >
> >
> >
> > =======
> > Candidate: CAN-2005-0232
> > URL: http://
> > Final-Decision:
> > Interim-Decision:
> > Modified:
> > Proposed:
> > Assigned: 20050207
> > Category: SF
> > Reference: BUGTRAQ:20050207 Fireflashing [Firefox 1.0]
> > Reference: URL:http://
> > Reference: MISC:http://
> >
> > Firefox 1.0 allows remote attackers to modify Boolean configuration
> > parameters for the about:config site by using a plugin such as Flash,
> > and the -moz-opacity filter, to display the about:config site then
> > cause the user to double-click at a certain screen position.
> >
> > Regards,
> >
> > Joey
> >
> > --
> > Open source is important from a technical angle. -- Linus Torvalds
> >
>
> --
> see shy jo
Debian Bug Importer (debzilla) wrote : | #4 |
Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 19:05:15 +0100
From: Mike Hommey <email address hidden>
To: Joey Hess <email address hidden>, <email address hidden>
Subject: Re: Bug#294415: Two problems in Firefox
I guess these will be adressed in the upcoming 1.0.1.
Mike
On Wed, Feb 09, 2005 at 12:05:51PM -0500, Joey Hess <email address hidden> wrote:
> Package: mozilla-firefox
> Version: 1.0+dfsg.1-5
> Tags: security
> Severity: grave
>
> Martin Schulze wrote:
> > Please make sure these problems are fixed in the package in sarge.
> > When you need to upload a fixed package please add the CVE ids in
> > the proper changelog entry.
>
> Let's file a bug for tracking..
>
> > =======
> > Candidate: CAN-2005-0231
> > URL: http://
> > Final-Decision:
> > Interim-Decision:
> > Modified:
> > Proposed:
> > Assigned: 20050207
> > Category: SF
> > Reference: BUGTRAQ:20050207 Firetabbing [Firefox 1.0]
> > Reference: URL:http://
> > Reference: MISC:http://
> >
> > Firefox 1.0 does not invoke the Javascript Security Manager when a
> > user drags a javascript: URL to a tab, which could allos remote
> > attackers to bypass the security model.
> >
> >
> >
> > =======
> > Candidate: CAN-2005-0232
> > URL: http://
> > Final-Decision:
> > Interim-Decision:
> > Modified:
> > Proposed:
> > Assigned: 20050207
> > Category: SF
> > Reference: BUGTRAQ:20050207 Fireflashing [Firefox 1.0]
> > Reference: URL:http://
> > Reference: MISC:http://
> >
> > Firefox 1.0 allows remote attackers to modify Boolean configuration
> > parameters for the about:config site by using a plugin such as Flash,
> > and the -moz-opacity filter, to display the about:config site then
> > cause the user to double-click at a certain screen position.
> >
> > Regards,
> >
> > Joey
> >
> > --
> > Open source is important from a technical angle. -- Linus Torvalds
> >
>
> --
> see shy jo
In Debian Bug tracker #294415, Eric Dorland (eric-debian) wrote : | #5 |
* Mike Hommey (<email address hidden>) wrote:
> I guess these will be adressed in the upcoming 1.0.1.
I'm sure they will be, but when are they going to release it?? These
bugs have been fixed in:
https:/
https:/
I'm going to roll a new firefox with those patches tonight.
--
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+
G e h! r- y+
------END GEEK CODE BLOCK------
Debian Bug Importer (debzilla) wrote : | #6 |
Message-ID: <email address hidden>
Date: Wed, 9 Feb 2005 13:52:52 -0500
From: Eric Dorland <email address hidden>
To: Mike Hommey <email address hidden>, <email address hidden>
Cc: Joey Hess <email address hidden>
Subject: Re: Bug#294415: Two problems in Firefox
--nqkreNcslJAfgyzk
Content-Type: text/plain; charset=us-ascii
Content-
Content-
* Mike Hommey (<email address hidden>) wrote:
> I guess these will be adressed in the upcoming 1.0.1.
I'm sure they will be, but when are they going to release it?? These
bugs have been fixed in:
https:/
https:/
I'm going to roll a new firefox with those patches tonight.=20
--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------
--nqkreNcslJAfgyzk
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCClwEYem
vtlENca3tFESkQV
=1sin
-----END PGP SIGNATURE-----
--nqkreNcslJAfg
In Debian Bug tracker #294415, Eric Dorland (eric-debian) wrote : Bug#294415: fixed in mozilla-firefox 1.0+dfsg.1-6 | #7 |
Source: mozilla-firefox
Source-Version: 1.0+dfsg.1-6
We believe that the bug you reported is fixed in the latest version of
mozilla-firefox, which is due to be installed in the Debian FTP archive:
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <email address hidden> (supplier of updated mozilla-firefox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Feb 2005 22:56:17 -0500
Source: mozilla-firefox
Binary: mozilla-firefox mozilla-
Architecture: source i386
Version: 1.0+dfsg.1-6
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
mozilla-firefox - lightweight web browser based on Mozilla
mozilla-
mozilla-
Closes: 294127 294415 294415
Changes:
mozilla-firefox (1.0+dfsg.1-6) unstable; urgency=high
.
* The "And I thought IE had security bugs!" release.
* toolkit/
xpfe/
"Firetabbing" vulnerability from bugzilla#280056, fixes
CAN-2005-0231. (Closes: #294415)
* modules/
vulnerability from bugzilla#280664, fixes CAN-2005-0232. (Also Closes:
#294415)
* build/unix/
to fix insecure temp file usage in run-mozilla.sh. (Closes: #294127)
* netwerk/
Patch from bugzilla#261934 to make the network.enableIDN preference
work and again.
* browser/
close #293975, but drops its severity.
* debian/
Files:
06167d3b521a02
b6b148b640c73e
f5...
Debian Bug Importer (debzilla) wrote : | #8 |
Message-Id: <email address hidden>
Date: Thu, 10 Feb 2005 01:47:39 -0500
From: Eric Dorland <email address hidden>
To: <email address hidden>
Subject: Bug#294415: fixed in mozilla-firefox 1.0+dfsg.1-6
Source: mozilla-firefox
Source-Version: 1.0+dfsg.1-6
We believe that the bug you reported is fixed in the latest version of
mozilla-firefox, which is due to be installed in the Debian FTP archive:
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
mozilla-
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Eric Dorland <email address hidden> (supplier of updated mozilla-firefox package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 9 Feb 2005 22:56:17 -0500
Source: mozilla-firefox
Binary: mozilla-firefox mozilla-
Architecture: source i386
Version: 1.0+dfsg.1-6
Distribution: unstable
Urgency: high
Maintainer: Eric Dorland <email address hidden>
Changed-By: Eric Dorland <email address hidden>
Description:
mozilla-firefox - lightweight web browser based on Mozilla
mozilla-
mozilla-
Closes: 294127 294415 294415
Changes:
mozilla-firefox (1.0+dfsg.1-6) unstable; urgency=high
.
* The "And I thought IE had security bugs!" release.
* toolkit/
xpfe/
"Firetabbing" vulnerability from bugzilla#280056, fixes
CAN-2005-0231. (Closes: #294415)
* modules/
vulnerability from bugzilla#280664, fixes CAN-2005-0232. (Also Closes:
#294415)
* build/unix/
* netwerk/
Patch from bugzilla#261934 to make the network.enableIDN preference
work and again.
* browser/
close #293975, but drops its severity.
* debian/
In Debian Bug tracker #294415, Adrian Bunk (bunk) wrote : still present in sarge | #9 |
reopen 294415
tags 294415 +sarge
thanks
Debian Bug Importer (debzilla) wrote : | #10 |
Message-ID: <email address hidden>
Date: Thu, 24 Feb 2005 01:56:16 +0100
From: Adrian Bunk <email address hidden>
To: <email address hidden>
Subject: still present in sarge
reopen 294415
tags 294415 +sarge
thanks
In Debian Bug tracker #294415, Laszlo Boszormenyi (gcs) wrote : security problems are fixed officialy now in 1.0.1 | #11 |
Package: mozilla-firefox
Version: 1.0+dfsg.1-6
Followup-For: Bug #294415
Hi,
As I see, a new Firefox upstream version is released as 1.0.1[1]. This
release contains the security fixes that the Debian package _may_
already have, but may contain other security fixes. Also, it fixes some
other bugs as well. Please package it.
Regards,
Laszlo/GCS
[1] http://
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-as2
Locale: LANG=en_US, LC_CTYPE=hu_HU (charmap=
Versions of packages mozilla-firefox depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii fontconfig 2.2.3-4 generic font configuration library
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-6 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.4.14-2 The GTK+ graphical user interface
ii libidl0 0.8.3-1 library for parsing CORBA IDL file
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 6.8.1-0.4 X Window System protocol client li
ii libxext6 6.8.1-0.4 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 6.8.1-0.4 X Window System printing extension
ii libxrender1 0.9.0-0.4 X Rendering Extension client libra
ii libxt6 6.8.1-0.4 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 6.8.1-0.4 X Window System client libraries m
ii zlib1g 1:1.2.2-3 compression library - runtime
-- no debconf information
Debian Bug Importer (debzilla) wrote : | #12 |
Message-Id: <email address hidden>
Date: Fri, 25 Feb 2005 14:03:07 +0100
From: Laszlo Boszormenyi <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: security problems are fixed officialy now in 1.0.1
Package: mozilla-firefox
Version: 1.0+dfsg.1-6
Followup-For: Bug #294415
Hi,
As I see, a new Firefox upstream version is released as 1.0.1[1]. This
release contains the security fixes that the Debian package _may_
already have, but may contain other security fixes. Also, it fixes some
other bugs as well. Please package it.
Regards,
Laszlo/GCS
[1] http://
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-as2
Locale: LANG=en_US, LC_CTYPE=hu_HU (charmap=
Versions of packages mozilla-firefox depends on:
ii debianutils 2.8.4 Miscellaneous utilities specific t
ii fontconfig 2.2.3-4 generic font configuration library
ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libfontconfig1 2.2.3-4 generic font configuration library
ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib
ii libgcc1 1:3.4.3-6 GCC support library
ii libglib2.0-0 2.6.2-1 The GLib library of C routines
ii libgtk2.0-0 2.4.14-2 The GTK+ graphical user interface
ii libidl0 0.8.3-1 library for parsing CORBA IDL file
ii libjpeg62 6b-9 The Independent JPEG Group's JPEG
ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries
ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3
ii libx11-6 6.8.1-0.4 X Window System protocol client li
ii libxext6 6.8.1-0.4 X Window System miscellaneous exte
ii libxft2 2.1.2-6 FreeType-based font drawing librar
ii libxp6 6.8.1-0.4 X Window System printing extension
ii libxrender1 0.9.0-0.4 X Rendering Extension client libra
ii libxt6 6.8.1-0.4 X Toolkit Intrinsics
ii psmisc 21.5-1 Utilities that use the proc filesy
ii xlibs 6.8.1-0.4 X Window System client libraries m
ii zlib1g 1:1.2.2-3 compression library - runtime
-- no debconf information
In Debian Bug tracker #294415, Eric Dorland (eric-debian) wrote : Re: Bug#294415: security problems are fixed officialy now in 1.0.1 | #13 |
* Laszlo Boszormenyi (<email address hidden>) wrote:
> Package: mozilla-firefox
> Version: 1.0+dfsg.1-6
> Followup-For: Bug #294415
>
> Hi,
>
> As I see, a new Firefox upstream version is released as 1.0.1[1]. This
> release contains the security fixes that the Debian package _may_
> already have, but may contain other security fixes. Also, it fixes some
> other bugs as well. Please package it.
Hmmm, nah, I don't think I'll package it, I don't feel like it.
*Of course* I'm going to package it, what are you, dense? Just because
it's not available the moment upstream releases it doesn't mean I've
lost my mind. Have the slightest bit of patience, please.
--
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+
G e h! r- y+
------END GEEK CODE BLOCK------
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Fri, 25 Feb 2005 11:27:04 -0500
From: Eric Dorland <email address hidden>
To: Laszlo Boszormenyi <email address hidden>, <email address hidden>
Subject: Re: Bug#294415: security problems are fixed officialy now in 1.0.1
--azLHFNyN32YCQGCU
Content-Type: text/plain; charset=us-ascii
Content-
Content-
* Laszlo Boszormenyi (<email address hidden>) wrote:
> Package: mozilla-firefox
> Version: 1.0+dfsg.1-6
> Followup-For: Bug #294415
>=20
> Hi,
>=20
> As I see, a new Firefox upstream version is released as 1.0.1[1]. This
> release contains the security fixes that the Debian package _may_
> already have, but may contain other security fixes. Also, it fixes some
> other bugs as well. Please package it.
Hmmm, nah, I don't think I'll package it, I don't feel like it.
*Of course* I'm going to package it, what are you, dense? Just because
it's not available the moment upstream releases it doesn't mean I've
lost my mind. Have the slightest bit of patience, please.=20
--=20
Eric Dorland <email address hidden>
ICQ: #61138586, Jabber: <email address hidden>
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------
--azLHFNyN32YCQGCU
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCH1HYYem
InJmDAqhFLtn+
=6jbD
-----END PGP SIGNATURE-----
--azLHFNyN32YCQ
In Debian Bug tracker #294415, Steve Langasek (vorlon) wrote : tagging 294415, closing 294415 | #15 |
# Automatically generated email from bts, devscripts version 2.8.5
tags 294415 - sarge
close 294415
Debian Bug Importer (debzilla) wrote : | #16 |
Message-Id: <email address hidden>
Date: Sat, 26 Feb 2005 00:41:12 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: tagging 294415, closing 294415
# Automatically generated email from bts, devscripts version 2.8.5
tags 294415 - sarge
close 294415
Thom May (thombot) wrote : | #17 |
mozilla-firefox (1.0.1-2ubuntu1) hoary; urgency=low
.
* Resynchronise with Debian.
Security fixes: CAN-2004-1156 - Window Injection Vulnerability
* Add patch to render hebrew RtL rather than LtR
* Add patch to make ',' on the numpad work correctly (Ubuntu: #6301)
Martin Pitt (pitti) wrote : | #18 |
Warty was fixed in USN-149-3.
Changed in firefox: | |
status: | Unknown → Fix Released |
Automatically imported from Debian bug report #294415 http:// bugs.debian. org/294415