Your message dated Mon, 12 Sep 2005 13:24:28 +0200 with message-id <[EMAIL PROTECTED]> and subject line Bug#327802: mozilla-firefox: Buffer overflow published on security-protocols.com has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 12 Sep 2005 10:07:40 +0000 >From [EMAIL PROTECTED] Mon Sep 12 03:07:40 2005 Return-path: <[EMAIL PROTECTED]> Received: from smtp-101-monday.nerim.net (kraid.nerim.net) [62.4.16.101] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EElDw-0006Ug-00; Mon, 12 Sep 2005 03:07:40 -0700 Received: from localhost (agurney.net1.nerim.net [62.212.118.80]) by kraid.nerim.net (Postfix) with ESMTP id 02C6C40EFD; Mon, 12 Sep 2005 12:07:36 +0200 (CEST) Received: from [192.168.74.106] (helo=merlin) by localhost with smtp (Exim 3.36 #1 (Debian)) id 1EElDm-0000BT-00; Mon, 12 Sep 2005 12:07:30 +0200 Received: (nullmailer pid 27770 invoked by uid 1000); Fri, 09 Sep 2005 17:47:48 -0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Alexandre Fayolle <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: mozilla-firefox: Buffer overflow published on security-protocols.com X-Mailer: reportbug 3.17 Date: Fri, 09 Sep 2005 19:47:48 +0200 X-Debbugs-Cc: [EMAIL PROTECTED], Debian Security Team <[EMAIL PROTECTED]> Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-9.5 required=4.0 tests=BAYES_00,HAS_PACKAGE, HTML_MESSAGE,X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 Package: mozilla-firefox Version: 1.0.6-4 Severity: grave Tags: security Justification: user security hole I've seen this reported in LWN today, and checked that mozilla-firefox in sid is affected. It is quite possible that the version in sarge is vulnerable too, but I have no machine running sarge to check. The vulnerability is published at http://www.security-protocols.com/advisory/sp-x17-advisory.txt : Versions Affected: Firefox Win32 1.0.6 and prior Firefox Linux 1.0.6 and prior Firefox 1.5 Beta 1 (Deer Park Alpha 2) Overview: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on a affected host. Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead. The following HTML code below will reproduce this issue: <A HREF=https:--------------------------------------------- > The page http://www.security-protocols.com/firefox-death.html contains such a url and freezes firefox on my machine. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages mozilla-firefox depends on: ii debianutils 2.14.3 Miscellaneous utilities specific t ii fontconfig 2.3.2-1 generic font configuration library ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libfontconfig1 2.3.2-1 generic font configuration library ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared lib ii libgcc1 1:4.0.1-6 GCC support library ii libglib2.0-0 2.8.0-1 The GLib library of C routines ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface ii libidl0 0.8.5-1 library for parsing CORBA IDL file ii libjpeg62 6b-10 The Independent JPEG Group's JPEG ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries ii libpango1.0-0 1.8.2-1 Layout and rendering of internatio ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libstdc++6 4.0.1-6 The GNU Standard C++ Library v3 ii libx11-6 6.8.2.dfsg.1-6 X Window System protocol client li ii libxext6 6.8.2.dfsg.1-6 X Window System miscellaneous exte ii libxft2 2.1.7-1 FreeType-based font drawing librar ii libxinerama1 6.8.2.dfsg.1-6 X Window System multi-head display ii libxp6 6.8.2.dfsg.1-6 X Window System printing extension ii libxt6 6.8.2.dfsg.1-6 X Toolkit Intrinsics ii psmisc 21.6-1 Utilities that use the proc filesy ii xlibs 6.8.2.dfsg.1-6 X Window System client libraries m ii zlib1g 1:1.2.3-4 compression library - runtime mozilla-firefox recommends no packages. -- no debconf information --------------------------------------- Received: (at 327802-done) by bugs.debian.org; 12 Sep 2005 11:25:11 +0000 >From [EMAIL PROTECTED] Mon Sep 12 04:25:11 2005 Return-path: <[EMAIL PROTECTED]> Received: from aputeaux-153-1-59-39.w82-124.abo.wanadoo.fr (namakemono.glandium.org) [82.124.13.39] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EEmQw-0004IQ-00; Mon, 12 Sep 2005 04:25:11 -0700 Received: from mh by namakemono.glandium.org with local (Exim 4.52) id 1EEmQG-0007Cy-Vl; Mon, 12 Sep 2005 13:24:28 +0200 Date: Mon, 12 Sep 2005 13:24:28 +0200 From: Mike Hommey <[EMAIL PROTECTED]> To: Alexandre Fayolle <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Subject: Re: Bug#327802: mozilla-firefox: Buffer overflow published on security-protocols.com Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> X-GPG-Fingerprint: A479 A824 265C B2A5 FC54 8D1E DE4B DA2C 54FD 2A58 Organization: glandium.org User-Agent: Mutt/1.5.10i Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-4.5 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER, HTML_MESSAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Version: 1.0.6-5 Version: 1.4.99+1.5beta1-2 Please do not file duplicates. This is the same as #327452, and has already been taken a care of. Mike On Fri, Sep 09, 2005 at 07:47:48PM +0200, Alexandre Fayolle <[EMAIL PROTECTED]> wrote: > Package: mozilla-firefox > Version: 1.0.6-4 > Severity: grave > Tags: security > Justification: user security hole > > I've seen this reported in LWN today, and checked that mozilla-firefox > in sid is affected. It is quite possible that the version in sarge is > vulnerable too, but I have no machine running sarge to check. > > The vulnerability is published at > http://www.security-protocols.com/advisory/sp-x17-advisory.txt : > > Versions Affected: > Firefox Win32 1.0.6 and prior > Firefox Linux 1.0.6 and prior > Firefox 1.5 Beta 1 (Deer Park Alpha 2) > > Overview: > A buffer overflow vulnerability exists within Firefox version 1.0.6 and > all other prior > versions which allows for an attacker to remotely execute arbitrary code > on a affected > host. > > Technical Details: > The problem seems to be when a hostname which has all dashes causes the > NormalizeIDN > call in nsStandardURL::BuildNormalizedSpec to return true, but is sets > encHost to an > empty string. Meaning, Firefox appends 0 to approxLen and then appends > the long > string of dashes to the buffer instead. The following HTML code below > will reproduce > this issue: > > <A HREF=https:--------------------------------------------- > > > > The page http://www.security-protocols.com/firefox-death.html contains > such a url and freezes firefox on my machine. > > -- System Information: > Debian Release: testing/unstable > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.12-1-686 > Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) > > Versions of packages mozilla-firefox depends on: > ii debianutils 2.14.3 Miscellaneous utilities specific > t > ii fontconfig 2.3.2-1 generic font configuration > library > ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit > ii libc6 2.3.5-6 GNU C Library: Shared libraries > an > ii libfontconfig1 2.3.2-1 generic font configuration > library > ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared > lib > ii libgcc1 1:4.0.1-6 GCC support library > ii libglib2.0-0 2.8.0-1 The GLib library of C routines > ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user > interface > ii libidl0 0.8.5-1 library for parsing CORBA IDL > file > ii libjpeg62 6b-10 The Independent JPEG Group's > JPEG > ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries > ii libpango1.0-0 1.8.2-1 Layout and rendering of > internatio > ii libpng12-0 1.2.8rel-1 PNG library - runtime > ii libstdc++6 4.0.1-6 The GNU Standard C++ Library v3 > ii libx11-6 6.8.2.dfsg.1-6 X Window System protocol client > li > ii libxext6 6.8.2.dfsg.1-6 X Window System miscellaneous > exte > ii libxft2 2.1.7-1 FreeType-based font drawing > librar > ii libxinerama1 6.8.2.dfsg.1-6 X Window System multi-head > display > ii libxp6 6.8.2.dfsg.1-6 X Window System printing > extension > ii libxt6 6.8.2.dfsg.1-6 X Toolkit Intrinsics > ii psmisc 21.6-1 Utilities that use the proc > filesy > ii xlibs 6.8.2.dfsg.1-6 X Window System client libraries > m > ii zlib1g 1:1.2.3-4 compression library - runtime > > mozilla-firefox recommends no packages. > > -- no debconf information > > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]