Code execution through javascript: favicons

This is pretty serious, i just tried out the demo-exploit from
http://www.mikx.de/firelinking/ on my hoary firefox and it worked
and succesfully created a file in my home directory just by
opening a link.
I think ff 1.0.3. should definitely go into hoary-updates or the
fixes should at least be backported to the 1.0.2 in hoary (but i don't
really see a reason for not updating to 1.0.3, we're not debian stable ;)).
And it's not the only serious hole in 1.0.2, just take a look at
what was fixed in 1.0.3 on
http://www.mozilla.org/projects/security/known-vulnerabilities.html

bye,
david

*** Bug 16476 has been marked as a duplicate of this bug. ***

Jdong has produced a backport that fixes this issue.

Maybe this can be promoted to the official Ubuntu repositories?

Created an attachment (id=2181)
possible patch

This is the (trivial) patch that seemingly went into 1.0.3 to fix this issue.
Just slightly adapted to match hoary's firefox. From a quick glance at 0.9.3's
source, this should be easy to adapt to warty, too.

We have patches prepared for this and other issues, and are currently testing
them for a release early next week.

*** Bug 16536 has been marked as a duplicate of this bug. ***

A full week past, still no patch?

(In reply to comment #7)
> A full week past, still no patch?

It's in the security queue. You do realise that 1.0.3 had about 10 security
vulns and all of them needed testing and patching, not just this one, right?

(In reply to comment #8)
> (In reply to comment #7)
> > A full week past, still no patch?
>
> It's in the security queue. You do realise that 1.0.3 had about 10 security
> vulns and all of them needed testing and patching, not just this one, right?

Yes, I do. But this bug is a serious breach of security, which makes some
people (including me) very nervous.
Are there problems applying the patches?

As I said "It's in the security queue." this means it's done and merely waiting
for a security release.

(In reply to comment #10)
> As I said "It's in the security queue." this means it's done and merely waiting
> for a security release.

Does this include patches for Warty?

Please bear in mind that Firefox release 1.0.3 did not close this favicons code
execution bug completetly. For example, the "c't Browser demo" at
http://www.heise.de/security/dienste/browsercheck/demos/nc/mozdemo3.shtml still
works with Firefox 1.0.3 as well as with the latest Ubuntu Firefox package
("c't" is a major computer magazine in Germany. Just click at "Test ausführen".
Then, a xterm will open that shows all files on your hard drive). This bug is
fixed in Firefox 1.0.4. Please include these fixes in the next Hoary security
release.

It's great that the patch is out (although the c't test seems to indicate that
it is not completely fixed).
But, what about Warty? If have two boxes (out of 4) still running Warty.

Warty was fixed in USN-149-3.