Debian Bug report logs -
#488358
iceweasel: CVE-2008-2786 CVE-2008-2785: two vulnerabilities with unknown impact
Reported by: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Sat, 28 Jun 2008 09:54:23 UTC
Severity: grave
Tags: security
Found in version iceweasel/3.0~rc2-2
Fixed in version 3.0.1-1
Done: Mike Hommey <mh@glandium.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>:
Bug#488358; Package iceweasel.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
New Bug report received and forwarded. Copy sent to Eric Dorland <eric@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: iceweasel
Version: 3.0~rc2-2
Severity: important
Tags: security
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for iceweasel.
CVE-2008-2786[0]:
| Buffer overflow in Firefox 3.0 and 2.0.x has unknown impact and attack
| vectors. NOTE: due to lack of details as of 20080619, it is not clear
| whether this is the same issue as CVE-2008-2785. A CVE identifier has
| been assigned for tracking purposes.
CVE-2008-2785[1]:
| Unspecified vulnerability in Firefox 3.0 and 2.0.x has unknown impact
| and remote attack vectors, aka ZDI-CAN-349.
I've set the severity to important for now, since there aren't many
information :/
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2786
http://security-tracker.debian.net/tracker/CVE-2008-2786
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2785
http://security-tracker.debian.net/tracker/CVE-2008-2785
Severity set to `grave' from `important'
Request was from Nico Golde <nion@debian.org>
to control@bugs.debian.org.
(Wed, 16 Jul 2008 14:06:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>:
Bug#488358; Package iceweasel.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>.
(full text, mbox, link).
Message #12 received at 488358@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
note that CVE-2008-2785 has been fixed with the 3.0.1-1
upload referring to the upstream security advisory on
http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
Unfortunately it is not yet clear whether CVE-2008-2786 is
the same issue or not.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Mike Hommey <mh@glandium.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #17 received at 488358-done@bugs.debian.org (full text, mbox, reply):
Version: 3.0.1-1
On Wed, Jul 16, 2008 at 04:14:48PM +0200, Nico Golde <nion@debian.org> wrote:
> Hi,
> note that CVE-2008-2785 has been fixed with the 3.0.1-1
> upload referring to the upstream security advisory on
> http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
Note that 3.0.1-1 was uploaded before the upstream security advisory
was released, so it doesn't refer to the MFSA or CVE numbers.
Also note that technically, these bugs affect the xulrunner-1.9 package,
not the iceweasel package. But iceweasel 3.0.1-1 depending on xulrunner-1.9
>> 1.9~rc2-5, and 1.9.0.1-1 being next after 1.9~rc2-5, this is roughly the
same (except for epiphany and friends, but the BTS is surely not the
best place to keep proper security fix versioning, security-tracker should
be)
> Unfortunately it is not yet clear whether CVE-2008-2786 is
> the same issue or not.
There are two fixes in the diff between 3.0 and 3.0.1 that look like
overflow fixing, and that are very similar:
one in layout/style/nsCSSValue.h and one in
rdf/base/src/nsInMemoryDataSource.cpp.
Maybe each CVE refers to each of these.
There is also a crash bug that is fixed, but MFSA-2008-24 explicitely
talks about CVE-2008-2785, so this leaves only CVE-2008-2786 as unexplained,
and CVE-2008-2786 is about a buffer overflow, which is not what the fixed
crash seems to lead to, I'd say. This crash is:
https://bugzilla.mozilla.org/show_bug.cgi?id=440473
Note that if that were really CVE-2008-2786, it would not be a public bug.
So it looks pretty much like both are fixed. If you don't agree, feel
free to reopen.
Mike
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>:
Bug#488358; Package iceweasel.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>.
(full text, mbox, link).
Message #22 received at 488358@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Mike,
* Mike Hommey <mh@glandium.org> [2008-07-16 17:00]:
> On Wed, Jul 16, 2008 at 04:14:48PM +0200, Nico Golde <nion@debian.org> wrote:
> > note that CVE-2008-2785 has been fixed with the 3.0.1-1
> > upload referring to the upstream security advisory on
> > http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
>
> Note that 3.0.1-1 was uploaded before the upstream security advisory
> was released, so it doesn't refer to the MFSA or CVE numbers.
Yes sure.
> Also note that technically, these bugs affect the xulrunner-1.9 package,
> not the iceweasel package. But iceweasel 3.0.1-1 depending on xulrunner-1.9
> >> 1.9~rc2-5, and 1.9.0.1-1 being next after 1.9~rc2-5, this is roughly the
> same (except for epiphany and friends, but the BTS is surely not the
> best place to keep proper security fix versioning, security-tracker should
> be)
Ok thanks, added xulrunner 1.9.0.1-1 to the list of fixed
packages at the security-tracker.
> > Unfortunately it is not yet clear whether CVE-2008-2786 is
> > the same issue or not.
>
> There are two fixes in the diff between 3.0 and 3.0.1 that look like
> overflow fixing, and that are very similar:
> one in layout/style/nsCSSValue.h and one in
> rdf/base/src/nsInMemoryDataSource.cpp.
>
> Maybe each CVE refers to each of these.
>
> There is also a crash bug that is fixed, but MFSA-2008-24 explicitely
> talks about CVE-2008-2785, so this leaves only CVE-2008-2786 as unexplained,
> and CVE-2008-2786 is about a buffer overflow, which is not what the fixed
> crash seems to lead to, I'd say. This crash is:
> https://bugzilla.mozilla.org/show_bug.cgi?id=440473
>
> Note that if that were really CVE-2008-2786, it would not be a public bug.
>
> So it looks pretty much like both are fixed. If you don't agree, feel
> free to reopen.
I reopen this bug for now as there is not clear evidence
about what CVE-2008-2786 is as long as the researcher who
posted the hashes on full-disclosure comes up with the
details. I'm not even sure if he informed the mozilla people
about the vulnerability.
I suggest cloning this bug, assigning one to CVE-2008-2786
and one to CVE-2008-2785, closing the latter one and tagging
the first one with moreinfo.
What do you think?
Kind regards
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>:
Bug#488358; Package iceweasel.
(full text, mbox, link).
Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>.
(full text, mbox, link).
Message #27 received at 488358@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 16, 2008 at 05:22:59PM +0200, Nico Golde <nion@debian.org> wrote:
> Hi Mike,
> * Mike Hommey <mh@glandium.org> [2008-07-16 17:00]:
> > On Wed, Jul 16, 2008 at 04:14:48PM +0200, Nico Golde <nion@debian.org> wrote:
> > > note that CVE-2008-2785 has been fixed with the 3.0.1-1
> > > upload referring to the upstream security advisory on
> > > http://www.mozilla.org/security/announce/2008/mfsa2008-34.html
> >
> > Note that 3.0.1-1 was uploaded before the upstream security advisory
> > was released, so it doesn't refer to the MFSA or CVE numbers.
>
> Yes sure.
>
> > Also note that technically, these bugs affect the xulrunner-1.9 package,
> > not the iceweasel package. But iceweasel 3.0.1-1 depending on xulrunner-1.9
> > >> 1.9~rc2-5, and 1.9.0.1-1 being next after 1.9~rc2-5, this is roughly the
> > same (except for epiphany and friends, but the BTS is surely not the
> > best place to keep proper security fix versioning, security-tracker should
> > be)
>
> Ok thanks, added xulrunner 1.9.0.1-1 to the list of fixed
> packages at the security-tracker.
>
> > > Unfortunately it is not yet clear whether CVE-2008-2786 is
> > > the same issue or not.
> >
> > There are two fixes in the diff between 3.0 and 3.0.1 that look like
> > overflow fixing, and that are very similar:
> > one in layout/style/nsCSSValue.h and one in
> > rdf/base/src/nsInMemoryDataSource.cpp.
> >
> > Maybe each CVE refers to each of these.
> >
> > There is also a crash bug that is fixed, but MFSA-2008-24 explicitely
> > talks about CVE-2008-2785, so this leaves only CVE-2008-2786 as unexplained,
> > and CVE-2008-2786 is about a buffer overflow, which is not what the fixed
> > crash seems to lead to, I'd say. This crash is:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=440473
> >
> > Note that if that were really CVE-2008-2786, it would not be a public bug.
> >
> > So it looks pretty much like both are fixed. If you don't agree, feel
> > free to reopen.
>
> I reopen this bug for now as there is not clear evidence
> about what CVE-2008-2786 is as long as the researcher who
> posted the hashes on full-disclosure comes up with the
> details. I'm not even sure if he informed the mozilla people
> about the vulnerability.
>
> I suggest cloning this bug, assigning one to CVE-2008-2786
> and one to CVE-2008-2785, closing the latter one and tagging
> the first one with moreinfo.
>
> What do you think?
Go ahead. You may want to reassign to xulrunner-1.9 at the same time.
(and maybe clone for iceweasel and iceape in stable, and iceape in unstable,
1.1.11 will fix CVE-2008-2785)
Mike
Information forwarded to debian-bugs-dist@lists.debian.org, Eric Dorland <eric@debian.org>:
Bug#488358; Package iceweasel.
(full text, mbox, link).
Acknowledgement sent to Steffen Joeris <steffen.joeris@skolelinux.de>:
Extra info received and forwarded to list. Copy sent to Eric Dorland <eric@debian.org>.
(full text, mbox, link).
Message #32 received at 488358@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
clone 488358 -1 -2 -3 -4
reassign -1 xulrunner-1.9
reassign -2 xulrunner-1.9
reassign -3 iceape
reassign -4 iceape
retitle -1 CVE-2008-2786: Buffer overflow
retitle -2 CVE-2008-2785: Unspecified vulnerability
retitle -3 CVE-2008-2786: Buffer overflow
retitle -4 CVE-2008-2785: Unspecified vulnerability
tags -1 moreinfo
tags -3 moreinfo
close -2 3.0.1-1
thanks
Hope that was all and that I got it right :)
Cheers
Steffen
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Aug 2008 07:32:59 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 19:06:33 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon