-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------ Arch Linux Security Warning ALSW 2007-#3 - ------------------------------------------------------------
Name: firefox Date: 2007-02-11 Severity: High Warning #: 2007-#3 - ------------------------------------------------------------ Product Background =================== Standalone web browser. Problem Background =================== The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password. Problem Packages =================== - ------------------------------------------------------------------ Package | Repo | Group | Unsafe | Safe | - ------------------------------------------------------------------ firefox current network <= 2.0.0.1-2 Only patched Package Fix =================== Apply this patch before recompiling firefox: http://jjdanimoth.altervista.org/arch/security/passwordmanager.patch md5sum: 331a8c57c97d12f5e4dbe62927de7320 Under http://jjdanimoth.altervista.org/arch/index.php?dir=security/ I have upped PKGBUILD ( and relatives patches ) upgraded for patching firefox automatically. While waiting official upgrade (version 2.0.0.2) , we can use this version. (Without any garranties, and note that ISN'T official pakage ). I find the patch passwordmanager.patch on bugtraq of mozilla ( it's a diff from cvs version of firefox ). I simply modify header. ( See References ). With this patch, this test http://people.mozilla.com/~mconnor/testcases/password_manager/setup2.html return me "Passed". With Firefox-no-patch, this test return Failed PW5 PW6. I can't test this patch with http://people.mozilla.com/~mconnor/testcases/password_manager/setup1.html Please write down your feedback on this. Thank you. Reference(s) =================== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6077 https://bugzilla.mozilla.org/show_bug.cgi?id=360493 Contact =================== JJDaNiMoTh (jjdanimoth AT gmail DOT com) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFz2e1cJj0HNhER0MRAu79AJ97dkfR9sHXcUvxERopwpQKoYVSEACfTvkV GxgfBNm8Cr6tYNzBXX5Kq7Q= =bi0r -----END PGP SIGNATURE----- _______________________________________________ arch mailing list arch@archlinux.org http://www.archlinux.org/mailman/listinfo/arch