SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
(Fedora Issues Fix) Mozilla Firefox Sidebar Panel Validation Flaw Lets Remote Users Execute Arbitrary Programs
SecurityTracker Alert ID:  1013534
SecurityTracker URL:  http://securitytracker.com/id/1013534
CVE Reference:   CVE-2005-0402   (Links to External Site)
Date:  Mar 24 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.0.2
Description:   A vulnerability was reported in Mozilla Firefox in the sidebar panel feature. A remote user can execute arbitrary applications on the target user's system.

A remote user can create a specially crafted HTML page. If the target user bookmarks the page as a Firefox sidebar panel, the HTML can open a privileged page and inject javascript into the privileged page to execute arbitrary programs on the target user's system.

Kohei Yoshino discovered this vulnerability.

Impact:   A remote user can cause arbitrary programs to be executed on the target user's system when the target user bookmarks a malicious web page as a sidebar panel.
Solution:   Fedora has released a fix, available at:

http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

a461bc4e69e10779b3a46944f6b3fd23 SRPMS/firefox-1.0.2-1.3.1.src.rpm
1951b68e390da2f45177df9c016240a0 x86_64/firefox-1.0.2-1.3.1.x86_64.rpm
a81f4837b641ae78f3f6559cbf05715c
x86_64/debug/firefox-debuginfo-1.0.2-1.3.1.x86_64.rpm
9b19361c8a3dc98edaa07eb1043c11b3 i386/firefox-1.0.2-1.3.1.i386.rpm
a97e425d13c5abb994520829b16b8063
i386/debug/firefox-debuginfo-1.0.2-1.3.1.i386.rpm

Vendor URL:  www.mozilla.org/security/announce/mfsa2005-31.html (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Red Hat Fedora)
Underlying OS Comments:  FC3

Message History:   This archive entry is a follow-up to the message listed below.
Mar 23 2005 Mozilla Firefox Sidebar Panel Validation Flaw Lets Remote Users Execute Arbitrary Programs



 Source Message Contents

Subject:  [SECURITY] Fedora Core 3 Update: firefox-1.0.2-1.3.1


---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-246
2005-03-23
---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : firefox
Version     : 1.0.2
Release     : 1.3.1
Summary     : Mozilla Firefox Web browser.
Description :
Mozilla Firefox is an open-source web browser, designed for standards
compliance, performance and portability.

---------------------------------------------------------------------
Update Information:


A buffer overflow bug was found in the way Firefox processes GIF images. 
It is possible for an attacker to create a specially crafted GIF image, 
which when viewed by a victim will execute arbitrary code as the victim. 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has 
assigned the name CAN-2005-0399 to this issue.

A bug was found in the way Firefox processes XUL content. If a malicious
web page can trick a user into dragging an object, it is possible to 
load malicious XUL content. The Common Vulnerabilities and Exposures 
project (cve.mitre.org) has assigned the name CAN-2005-0401 to this issue.

A bug was found in the way Firefox bookmarks content to the sidebar. If 
a user can be tricked into bookmarking a malicious web page into the 
sidebar panel, that page could execute arbitrary programs. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the 
name CAN-2005-0402 to this issue.

Users of Firefox are advised to upgrade to this updated package which
contains Firefox version 1.0.2 and is not vulnerable to these issues.

Additionally, there was a bug found in the way Firefox rendered some 
fonts, notably the Tahoma font while italicized.  This issue has been 
filed as Bug 150041 (bugzilla.redhat.com).  This updated package 
contains a fix for this issue.


---------------------------------------------------------------------
* Wed Mar 23 2005 Christopher Aillon <caillon@redhat.com> 0:1.0.2-1.3.1

- Firefox 1.0.2
- Fix issues with italic rendering using certain fonts (e.g. Tahoma)
- Add upstream fix to reduce round trips to xserver during remote control
- Add upstream fix to call g_set_application_name


---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

a461bc4e69e10779b3a46944f6b3fd23  SRPMS/firefox-1.0.2-1.3.1.src.rpm
1951b68e390da2f45177df9c016240a0  x86_64/firefox-1.0.2-1.3.1.x86_64.rpm
a81f4837b641ae78f3f6559cbf05715c 
x86_64/debug/firefox-debuginfo-1.0.2-1.3.1.x86_64.rpm
9b19361c8a3dc98edaa07eb1043c11b3  i386/firefox-1.0.2-1.3.1.i386.rpm
a97e425d13c5abb994520829b16b8063 
i386/debug/firefox-debuginfo-1.0.2-1.3.1.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

--
fedora-announce-list mailing list
fedora-announce-list@redhat.com
http://www.redhat.com/mailman/listinfo/fedora-announce-list

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC