Mailing List Archive: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd)

US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd)

Jul 27, 2006, 6:04 PM

Post #1 of 10 (5311 views)

Just received this CERT announce concerning firefox vulnerabilities. I
checked portage and there is no ebuild for 1.5.0.5. Anyone have an idea
when we can expect an ebuild for this version?

- Rod

--
___ ____ ___ _ ___
Rod Moffitt / _ \/ __ \/ _ \ (_)__ / _/__
http://rod.info / , _/ /_/ / // / / / _ \/ _/ _ \
rodANTISPAM@rod.info /_/|_|\____/____(*)_/_//_/_/ \___/
=======================================================
~ Where loved ones are remembered http://memoriam.org ~

---------- Forwarded message ----------
Date: Thu, 27 Jul 2006 16:38:31 -0400
From: CERT Advisory <cert-advisory@cert.org>
To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products
Contain Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA06-208A

Mozilla Products Contain Multiple Vulnerabilities

Original release date: July 27, 2006
Last revised: --
Source: US-CERT

Systems Affected

* Mozilla SeaMonkey
* Mozilla Firefox
* Mozilla Thunderbird

Any products based on Mozilla components, specifically Gecko, may also
be affected.

Overview

The Mozilla web browser and derived products contain several
vulnerabilities, the most serious of which could allow a remote
attacker to execute arbitrary code on an affected system.

I. Description

Several vulnerabilities have been reported in the Mozilla web browser
and derived products. More detailed information is available in the
individual vulnerability notes, including the following:

VU#476724 - Mozilla products fail to properly handle frame references

Mozilla products fail to properly handle frame or window references.
This may allow a remote attacker to execute arbitrary code on a
vulnerable system.
(CVE-2006-3801)

VU#670060 - Mozilla fails to properly release JavaScript references

Mozilla products fail to properly release memory. This vulnerability
may allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3677)

VU#239124 - Mozilla fails to properly handle simultaneous XPCOM events

Mozilla products are vulnerable to memory corruption via simultaneous
XPCOM events. This may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3113)

VU#265964 - Mozilla products contain a race condition

Mozilla products contain a race condition. This vulnerability may
allow a remote attacker to execute code on a vulnerable system.
(CVE-2006-3803)

VU#897540 - Mozilla products VCard attachment buffer overflow

Mozilla products fail to properly handle malformed VCard attachments,
allowing a buffer overflow to occur. This vulnerability may allow a
remote attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3804)

VU#876420 - Mozilla fails to properly handle garbage collection

The Mozilla JavaScript engine fails to properly perform garbage
collection, which may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3805)

VU#655892 - Mozilla JavaScript engine contains multiple integer
overflows

The Mozilla JavaScript engine contains multiple integer overflows.
This vulnerability may allow a remote attacker to execute arbitrary
code on a vulnerable system.
(CVE-2006-3806)

VU#687396 - Mozilla products fail to properly validate JavaScript
constructors

Mozilla products fail to properly validate references returned by
JavaScript constructors. This vulnerability may allow a remote
attacker to execute arbitrary code on a vulnerable system.
(CVE-2006-3807)

VU#527676 - Mozilla contains multiple memory corruption
vulnerabilities

Mozilla products contain multiple vulnerabilities that can cause
memory corruption. This may allow a remote attacker to execute
arbitrary code on a vulnerable system.
(CVE-2006-3811)

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on a
vulnerable system. An attacker may also be able to cause the
vulnerable application to crash.

III. Solution

Upgrade

Upgrade to Mozilla Firefox 1.5.0.5, Mozilla Thunderbird 1.5.0.5, or
SeaMonkey 1.0.3.

Disable JavaScript and Java

These vulnerabilities can be mitigated by disabling JavaScript and
Java in all affected products. Instructions for disabling Java in
Firefox can be found in the "Securing Your Web Browser" document.

Appendix A. References

* US-CERT Vulnerability Notes Related to July Mozilla Security
Advisories -
<http://www.kb.cert.org/vuls/byid?searchview&query=firefox_1505>

* CVE-2006-3081 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801>

* CVE-2006-3677 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677>

* CVE-2006-3113 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113>

* CVE-2006-3803 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803>

* CVE-2006-3804 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804>

* CVE-2006-3805 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805>

* CVE-2006-3806 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806>

* CVE-2006-3807 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807>

* CVE-2006-3811 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811>

* Mozilla Foundation Security Advisories -
<http://www.mozilla.org/security/announce/>

* Known Vulnerabilities in Mozilla Products -
<http://www.mozilla.org/projects/security/known-vulnerabilities.html>

* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/browser_security.html#Mozilla_Firefox>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-208A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-208A Feedback VU#239124" in the
subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2006 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

Jul 27, 2006: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRMkgNexOF3G+ig+rAQIFsAgAoWoMkxxhkzb+xgLVCJF7h4k4EBCgJGWa
BSOiFfL4Gs4vv4lNooDRCIOdxiBfXYL71XsIOT4aWry5852/6kyYnyAiXXYj1Uv0
SbPY2sQSZ5EaG+G9i8HDIy3fpJN4XgH3ng1uzUnJihY19IfndbXicpZE+debIUri
qt9NRD2f5FW5feKo1cBpYxtmxQAEePOa2dJHh7I7cnFGtG3MixHx4kVEyuYUutCX
5tHDsfTIdySNkIdCQ4vhk846bErB/kaHiKMQDfMglllb3GOSc07OQ0CDo2eTPVsA
9DtKkiDP1C4dh1mxco8CWlS6327+EB0KXGGoqDF2+j/rrpsW0oc8nA==
=HwuK
-----END PGP SIGNATURE-----
--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

r3pek at gentoo

Jul 28, 2006, 4:48 AM

Post #2 of 10 (5158 views)

Permalink

On Thu, 2006-07-27 at 21:04 -0400, Rod Moffitt wrote:
> Just received this CERT announce concerning firefox vulnerabilities. I
> checked portage and there is no ebuild for 1.5.0.5. Anyone have an idea
> when we can expect an ebuild for this version?
>
> - Rod
>
<snip>
It's already in bugzilla.
(http://bugs.gentoo.org/show_bug.cgi?id=141842)

--
Carlos "r3pek" Silva
Gentoo Developer (kernel/amd64/mobile-phone)

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

rodlist at rod

Jul 28, 2006, 7:13 AM

Post #3 of 10 (5156 views)

Permalink

> It's already in bugzilla.
> (http://bugs.gentoo.org/show_bug.cgi?id=141842)

Thanks for the info (should have looked at bugzilla). Any idea why the
gentoo devel team are so slow in responding to this rather serious
issue?

For the first time in 3 years I am installing firefox from the moz site
and uninstalling the ebuild - I recommand everyone do that ASAP until
the gentoo devel wake up and realize how serious this is and fix the
ebuild.

- Rod
--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

agaffney at gentoo

Jul 28, 2006, 7:51 AM

Post #4 of 10 (5168 views)

Permalink

Rod Moffitt wrote:
>> It's already in bugzilla.
>> (http://bugs.gentoo.org/show_bug.cgi?id=141842)
>
> Thanks for the info (should have looked at bugzilla). Any idea why the
> gentoo devel team are so slow in responding to this rather serious issue?
>
> For the first time in 3 years I am installing firefox from the moz site
> and uninstalling the ebuild - I recommand everyone do that ASAP until
> the gentoo devel wake up and realize how serious this is and fix the
> ebuild.

You know, you are more than welcome to contribute an ebuild for the new firefox
rather than bitching that we're too slow. As for why we're so slow (as you put
it...didn't the new version just come out yesterday?), the primary maintainer
for all of the Mozilla stuff (firefox, mozilla, seamonkey, thunderbird, etc.)
quit about 2 weeks ago. We've been trying to find someone to step up and take
permanent maintainership, but until then, the "backup maintainers" are busy
people and will get to it when they have time.

--
Andrew Gaffney http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer Installer Project

--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

rodlist at rod

Jul 28, 2006, 8:23 AM

Post #5 of 10 (5173 views)

Permalink

>> For the first time in 3 years I am installing firefox from the moz site
>> and uninstalling the ebuild - I recommand everyone do that ASAP until the
>> gentoo devel wake up and realize how serious this is and fix the ebuild.
>
> You know, you are more than welcome to contribute an ebuild for the new
> firefox rather than bitching that we're too slow. As for why we're so slow
> (as you put it...didn't the new version just come out yesterday?), the
> primary maintainer for all of the Mozilla stuff (firefox, mozilla, seamonkey,
> thunderbird, etc.) quit about 2 weeks ago. We've been trying to find someone
> to step up and take permanent maintainership, but until then, the "backup
> maintainers" are busy people and will get to it when they have time.

I don't believe that I was 'bitching'. I was merely stating that this was
a serious issue and that it should be addressed as soon as possible.

I have complete empathy for the situation, however no distro (commercial
or community based) can simply use as an excuse that the person who is
responsible is gone/on vacation/insert reason for not being there. This
isn't a new feature request, this is a major vulnerability we are talking
about.

Not only will gentoo suffer because the users will be affected by this,
yet one of the major benefits of an open-source os such as gentoo/linux is
that responses to security holes are generally very quick (this is often a
comparison point between linux and windows).

- Rod
--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

kloeri at gentoo

Jul 28, 2006, 8:45 AM

Post #6 of 10 (5161 views)

Permalink

On Fri, Jul 28, 2006 at 11:23:26AM -0400, Rod Moffitt wrote:
> >> For the first time in 3 years I am installing firefox from the moz site
> >> and uninstalling the ebuild - I recommand everyone do that ASAP until the
> >> gentoo devel wake up and realize how serious this is and fix the ebuild.
> >
> >You know, you are more than welcome to contribute an ebuild for the new
> >firefox rather than bitching that we're too slow. As for why we're so slow
> >(as you put it...didn't the new version just come out yesterday?), the
> >primary maintainer for all of the Mozilla stuff (firefox, mozilla,
> >seamonkey, thunderbird, etc.) quit about 2 weeks ago. We've been trying to
> >find someone to step up and take permanent maintainership, but until then,
> >the "backup maintainers" are busy people and will get to it when they have
> >time.
>
> I don't believe that I was 'bitching'. I was merely stating that this was
> a serious issue and that it should be addressed as soon as possible.
>
> I have complete empathy for the situation, however no distro (commercial
> or community based) can simply use as an excuse that the person who is
> responsible is gone/on vacation/insert reason for not being there. This
> isn't a new feature request, this is a major vulnerability we are talking
> about.
Oh yes, we can. Gentoo is an all volunteer driven distribution and we
all have jobs/school/other crap that comes before Gentoo work. Doesn't
matter if there's a security vulnerability or not.

That said we'll get to it as fast as possible (people, including myself
are currently working on all the mozilla stuff). But we're sure as hell
not calling in sick at work or something like that just to live up to
your misguided expectations.
>
> Not only will gentoo suffer because the users will be affected by this,
> yet one of the major benefits of an open-source os such as gentoo/linux is
> that responses to security holes are generally very quick (this is often a
> comparison point between linux and windows).
And how is one or two days not fast response? The mozilla herd have only
been cc'ed on the bug one day which doesn't give us much chance of
responding.

Regards,
Bryan Ã˜stergaard

PS. Sorry if my answer is rude and/or impolite but I take offensive when
random people claim we're doing a poor job when in fact we're working as
fast as possible solving the problem.
--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

dpn at isomerica

Jul 28, 2006, 8:55 AM

Post #7 of 10 (5180 views)

Permalink

On Fri, Jul 28, 2006 at 11:23:26AM -0400, Rod Moffitt wrote:
> I have complete empathy for the situation, however no distro (commercial
> or community based) can simply use as an excuse that the person who is
> responsible is gone/on vacation/insert reason for not being there. This
> isn't a new feature request, this is a major vulnerability we are talking
> about.

Problem:
You feel that the volunteer developers are not working fast
enough/well enough. You want this bug fixed as quickly as possible
so that it does not affect you. The volunteer developers are
currently working as fast as they can.

Solution:
Volunteer your time to fix the problem, or wait for the existing
volunteers to fix the problem.

If that isn't acceptable to you, you should seriously consider using a
commercial distribution where people *are* paid to fix security bugs.

--
/--------------- - - - - - -
| Dan Noe, freelance hacker
| http://isomerica.net/

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

henson at acm

Jul 28, 2006, 10:17 AM

Post #8 of 10 (5170 views)

Permalink

On Fri, 28 Jul 2006, Dan Noe wrote:

> If that isn't acceptable to you, you should seriously consider using a
> commercial distribution where people *are* paid to fix security bugs.

I second that opinion. Personally, I'm quite grateful for all of the hard
work all of the Gentoo developers put in, and would like to take this
opportunity to point that out explicitly.

This vulnerability was only announced yesterday, and given that are
probably no visible changes between 1.5.0.4 and 1.5.0.5 other than internal
bug fixes, a temporary workaround would probably be as simple as copying
the ebuild to your local overlay directory and changing the version number.

Having spent the last month trying to put together a reasonably
minimalistic install of Red Hat Enterprise Linux for an Oracle project, let
me tell you that while they might fix bugs quickly, working with it is a
pain in the ass, particularly compared to the simplicity and flexibility
that is Gentoo. (you have to love wanting to install package A, which has a
dependency on package B you don't even care about, but can't get rid of,
and that dependency cascades into a dozen more packages you want nothing to
do with that have to install just to get package A <sigh>...)

--
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson@csupomona.edu
California State Polytechnic University | Pomona CA 91768
--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

wcyoung at buffalo

Jul 28, 2006, 11:29 AM

Post #9 of 10 (5165 views)

Permalink

On Fri, 2006-07-28 at 10:17 -0700, Paul B. Henson wrote:
> On Fri, 28 Jul 2006, Dan Noe wrote:
>
> > If that isn't acceptable to you, you should seriously consider using a
> > commercial distribution where people *are* paid to fix security bugs.
>

...

>
> Having spent the last month trying to put together a reasonably
> minimalistic install of Red Hat Enterprise Linux for an Oracle project, let
> me tell you that while they might fix bugs quickly, working with it is a
> pain in the ass, particularly compared to the simplicity and flexibility
> that is Gentoo. (you have to love wanting to install package A, which has a
> dependency on package B you don't even care about, but can't get rid of,
> and that dependency cascades into a dozen more packages you want nothing to
> do with that have to install just to get package A <sigh>...)
>

I second this, I just finished a rather larger (highly dependency
driven) RHEL oracle install and it just re-enforced to me how much
gentoo is just plain awesome. There is really no other way to describe
it.

$gentoo++;

Thanks guys!
--
Wes Young
Network Security Analyst
University at Buffalo
GPG Key ID: B0E1E99D
GPG Fingerprint: 5CFE B28C E015 E03F F19D B4A8 E753 7659 B0E1 E99D
-----------------------------------------------
| My Digg Profile: | http://tinyurl.com/zrc6m |
| My Security Blog: | http://tinyurl.com/9av4k |
| My RSS: | http://tinyurl.com/ceopv |
| My Life: | http://tinyurl.com/l18g |
| CPAN: | http://tinyurl.com/mujm5 |
-----------------------------------------------

--
gentoo-security@gentoo.org mailing list

Re: US-CERT Technical Cyber Security Alert TA06-208A -- Mozilla Products Contain Multiple Vulnerabilities (fwd) [ In reply to ]

ben at ormond

Jul 30, 2006, 5:53 PM

Post #10 of 10 (5175 views)

Permalink

http://gentoo-wiki.com/HOWTO_Install_Oracle_10g

Anyone know if there's anything we could do to encourage Oracle to
support Gentoo as an install platform?

Ben.

Wes Young wrote:
> On Fri, 2006-07-28 at 10:17 -0700, Paul B. Henson wrote:
>> On Fri, 28 Jul 2006, Dan Noe wrote:
>>
>>> If that isn't acceptable to you, you should seriously consider using a
>>> commercial distribution where people *are* paid to fix security bugs.
>
> ...
>
>> Having spent the last month trying to put together a reasonably
>> minimalistic install of Red Hat Enterprise Linux for an Oracle project, let
>> me tell you that while they might fix bugs quickly, working with it is a
>> pain in the ass, particularly compared to the simplicity and flexibility
>> that is Gentoo. (you have to love wanting to install package A, which has a
>> dependency on package B you don't even care about, but can't get rid of,
>> and that dependency cascades into a dozen more packages you want nothing to
>> do with that have to install just to get package A <sigh>...)
>>
>
> I second this, I just finished a rather larger (highly dependency
> driven) RHEL oracle install and it just re-enforced to me how much
> gentoo is just plain awesome. There is really no other way to describe
> it.
>
> $gentoo++;
>
> Thanks guys!
--
gentoo-security@gentoo.org mailing list

Mailing List Archive

Mailing List Archive

Attached Files: