[CVE-2006-1993] Firefox Remote Code Execution and DoS

Debian Bug report logs - #364810
[CVE-2006-1993] Firefox Remote Code Execution and DoS

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert.spam@gmx.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Buffer overflow opens remote code execution and/or DoS vulnerability

Date: Tue, 25 Apr 2006 22:30:20 +0200

Package: firefox
Version: 1.5.dfsg+1.5.0.2-3
Severity: grave

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The following advisory was published recently:
http://www.securident.com/vuln/ff.txt

[..]
Result:  
 Firefox Remote Code Execution and Denial of Service - Vendor contacted,
 no patch yet.
Problem:
 A handling issue exists in how Firefox handles certain Javascript in
 js320.dll and xpcom_core.dll
 regarding iframe.contentWindow.focus().  By manipulating this feature
 a buffer overflow will occur.
[..]

I initally set this report to grave.

Regards, Daniel


- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (110, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15.08060320
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages firefox depends on:
ii  debianutils                 2.15.7       Miscellaneous utilities specific t
ii  fontconfig                  2.3.2-5.1    generic font configuration library
ii  libatk1.0-0                 1.11.4-1     The ATK accessibility toolkit
ii  libc6                       2.3.6-7      GNU C Library: Shared libraries
ii  libcairo2                   1.0.4-1+b1   The Cairo 2D vector graphics libra
ii  libfontconfig1              2.3.2-5.1    generic font configuration library
ii  libfreetype6                2.1.10-3     FreeType 2 font engine, shared lib
ii  libgcc1                     1:4.1.0-1+b1 GCC support library
ii  libglib2.0-0                2.10.2-1     The GLib library of C routines
ii  libgtk2.0-0                 2.8.17-1     The GTK+ graphical user interface 
ii  libidl0                     0.8.6-1      library for parsing CORBA IDL file
ii  libjpeg62                   6b-12        The Independent JPEG Group's JPEG 
ii  libpango1.0-0               1.12.1-2     Layout and rendering of internatio
ii  libpng12-0                  1.2.8rel-5.1 PNG library - runtime
ii  libstdc++6                  4.1.0-1+b1   The GNU Standard C++ Library v3
ii  libx11-6                    2:1.0.0-6    X11 client-side library
ii  libxcursor1                 1.1.5.2-5    X cursor management library
ii  libxext6                    1:1.0.0-4    X11 miscellaneous extension librar
ii  libxfixes3                  1:3.0.1.2-4  X11 miscellaneous 'fixes' extensio
ii  libxft2                     2.1.8.2-6    FreeType-based font drawing librar
ii  libxi6                      1:1.0.0-5    X11 Input extension library
ii  libxinerama1                1:1.0.1-4    X11 Xinerama extension library
ii  libxrandr2                  2:1.1.0.2-4  X11 RandR extension library
ii  libxrender1                 1:0.9.0.2-4  X Rendering Extension client libra
ii  libxt6                      1:1.0.0-4    X11 toolkit intrinsics library
ii  psmisc                      22.2-1       Utilities that use the proc filesy
ii  zlib1g                      1:1.2.3-11   compression library - runtime

firefox recommends no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFETobcdg0kG0+YFBERAmWjAJ4qLn54eEqo1M7KTyO/xUbsFoc6mACfQ/cM
KmgZleZqoM3hqv6dXkY0xxI=
=Zqis
-----END PGP SIGNATURE-----

Message #12 received at 364810@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: Daniel Leidert <daniel.leidert.spam@gmx.net>, 364810@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#364810: Buffer overflow opens remote code execution and/or DoS vulnerability

Date: Fri, 28 Apr 2006 10:34:03 -0400

[Message part 1 (text/plain, inline)]

tags 364810 security
thanks

* Daniel Leidert (daniel.leidert.spam@gmx.net) wrote:
> Package: firefox
> Version: 1.5.dfsg+1.5.0.2-3
> Severity: grave
> 
> The following advisory was published recently:
> http://www.securident.com/vuln/ff.txt
> 
> [..]
> Result:  
>  Firefox Remote Code Execution and Denial of Service - Vendor contacted,
>  no patch yet.
> Problem:
>  A handling issue exists in how Firefox handles certain Javascript in
>  js320.dll and xpcom_core.dll
>  regarding iframe.contentWindow.focus().  By manipulating this feature
>  a buffer overflow will occur.
> [..]
> 
> I initally set this report to grave.

Does this have a CVE # yet? 

-- 
Eric Dorland <eric@kuroneko.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
1024D/16D970C6 097C 4861 9934 27A0 8E1C  2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ 
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ 
G e h! r- y+ 
------END GEEK CODE BLOCK------

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 364810@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert.spam@gmx.net>

To: 364810@bugs.debian.org, control@bugs.debian.org

Cc: Eric Dorland <eric@debian.org>

Subject: Re: Bug#364810: Buffer overflow opens remote code execution and/or DoS vulnerability

Date: Fri, 28 Apr 2006 17:52:12 +0200

retitle 364810 [CVE-2006-1993] Firefox Remote Code Execution and DoS
thanks

Am Freitag, den 28.04.2006, 10:34 -0400 schrieb Eric Dorland:

> Does this have a CVE # yet? 

Seems, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1993 is
the related CVE entry.

Regards, Daniel

Message #26 received at 364810@bugs.debian.org (full text, mbox, reply):

From: Uwe Hermann <uwe@hermann-uwe.de>

To: 364810@bugs.debian.org

Cc: Daniel Leidert <daniel.leidert.spam@gmx.net>, Eric Dorland <eric@debian.org>

Subject: Fixed in 1.5.0.3

Date: Wed, 3 May 2006 02:32:23 +0200

[Message part 1 (text/plain, inline)]

Looks like this is fixed in Firefox 1.5.0.3, please update the package
ASAP, as it's a critical and publically known security issue.

http://www.mozilla.com/firefox/releases/1.5.0.3.html

Uwe.
-- 
Uwe Hermann 
http://www.hermann-uwe.de
http://www.it-services-uh.de  | http://www.crazy-hacks.org 
http://www.holsham-traders.de | http://www.unmaintained-free-software.org

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 364810-close@bugs.debian.org (full text, mbox, reply):

From: Eric Dorland <eric@debian.org>

To: 364810-close@bugs.debian.org

Subject: Bug#364810: fixed in firefox 1.5.dfsg+1.5.0.3-1

Date: Wed, 03 May 2006 00:32:27 -0700

Source: firefox
Source-Version: 1.5.dfsg+1.5.0.3-1

We believe that the bug you reported is fixed in the latest version of
firefox, which is due to be installed in the Debian FTP archive:

firefox-dbg_1.5.dfsg+1.5.0.3-1_i386.deb
  to pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.3-1_i386.deb
firefox-dom-inspector_1.5.dfsg+1.5.0.3-1_i386.deb
  to pool/main/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.3-1_i386.deb
firefox-gnome-support_1.5.dfsg+1.5.0.3-1_i386.deb
  to pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.3-1_i386.deb
firefox_1.5.dfsg+1.5.0.3-1.diff.gz
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.3-1.diff.gz
firefox_1.5.dfsg+1.5.0.3-1.dsc
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.3-1.dsc
firefox_1.5.dfsg+1.5.0.3-1_i386.deb
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.3-1_i386.deb
firefox_1.5.dfsg+1.5.0.3.orig.tar.gz
  to pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.3.orig.tar.gz
mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.3-1_all.deb
  to pool/main/f/firefox/mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.3-1_all.deb
mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.3-1_all.deb
  to pool/main/f/firefox/mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.3-1_all.deb
mozilla-firefox_1.5.dfsg+1.5.0.3-1_all.deb
  to pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.3-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 364810@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Eric Dorland <eric@debian.org> (supplier of updated firefox package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed,  3 May 2006 00:32:49 -0400
Source: firefox
Binary: firefox-dbg firefox-gnome-support firefox-dom-inspector mozilla-firefox mozilla-firefox-gnome-support mozilla-firefox-dom-inspector firefox
Architecture: source all i386
Version: 1.5.dfsg+1.5.0.3-1
Distribution: unstable
Urgency: critical
Maintainer: Eric Dorland <eric@debian.org>
Changed-By: Eric Dorland <eric@debian.org>
Description: 
 firefox    - lightweight web browser based on Mozilla
 firefox-dbg - debugging symbols for firefox
 firefox-dom-inspector - tool for inspecting the DOM of pages in Mozilla Firefox
 firefox-gnome-support - Support for Gnome in Mozilla Firefox
 mozilla-firefox - Transition package for firefox rename
 mozilla-firefox-dom-inspector - Transition package for firefox rename
 mozilla-firefox-gnome-support - Transition package for firefox rename
Closes: 364566 364640 364810 365099 365738
Changes: 
 firefox (1.5.dfsg+1.5.0.3-1) unstable; urgency=critical
 .
   * The "secure enough for ya!" release.
   * New upstream release. Contains security fixes, hence severity
     critical.
     - Fixes CVE-2006-1993 aka MFSA 2006-30. (Closes: #364810)
 .
   [ Mike Hommey ]
   * security/manager/Makefile.in, debian/firefox.install: Build and
     install the .chk file again. That will make the FIPS mode work again.
   * debian/control: Bumped Standards-Version to 3.7.0.0. No changes.
   * debian/rules: Fix the navigator.ProductSub value for dumb scripts.
     Closes: #364640, #365099. We now use the date of the client.mk file,
     which is likely to be the closest value to the release date, instead of
     useless build date.
     Add the debian version after the firefox version string.
   * debian/rules: Use dpkg-architecture to find out the host and build that
     we want to pass to the configure script. (Closes: #365738)
 .
   [ Eric Dorland ]
   * debian/firefox-runner:
     - Quote the APPLICATION_ID variable to handle profiles with a space
       in the name. Inspired by Morita Sho's patch. (Closes: #364566)
     - echo MOZ_DISABLE_PANGO on verbose.
   * debian/rules: It's baaaackkk. Reenable xprint.
Files: 
 2a707c2af7d2092558ffe06e44194ed2 1079 web optional firefox_1.5.dfsg+1.5.0.3-1.dsc
 a99d2d930f7c83852e677c1005c94318 42869074 web optional firefox_1.5.dfsg+1.5.0.3.orig.tar.gz
 37c390fbecc12363dab9d999e8cec77d 136819 web optional firefox_1.5.dfsg+1.5.0.3-1.diff.gz
 8c8c674d99e36f6d2e0ec5a888c64369 46956 web optional mozilla-firefox_1.5.dfsg+1.5.0.3-1_all.deb
 5fc10df35c6a71088c45694321ac0989 46152 web optional mozilla-firefox-dom-inspector_1.5.dfsg+1.5.0.3-1_all.deb
 e301b4151730723589e03c5e1ef66d7e 46152 gnome optional mozilla-firefox-gnome-support_1.5.dfsg+1.5.0.3-1_all.deb
 44da48e65f0aab5a37b352352ecfa55b 8075456 web optional firefox_1.5.dfsg+1.5.0.3-1_i386.deb
 8c83bc03a47c5efd05ec2439fe16372c 246112 web optional firefox-dom-inspector_1.5.dfsg+1.5.0.3-1_i386.deb
 c639b94e82bd99e4b72f6bc1be7463ad 72908 gnome optional firefox-gnome-support_1.5.dfsg+1.5.0.3-1_i386.deb
 ac45ed934fea2b5835ab5b0e94c8d356 44442258 web optional firefox-dbg_1.5.dfsg+1.5.0.3-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEWFQJYemOzxbZcMYRAhIFAJ9C4srCP+7m7C1rI0qQNV4yDj0VDgCgxy9V
KNntuUQc9qUJDetS8ngCRtY=
=PRf+
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.