Your message dated Mon, 12 Sep 2005 13:24:28 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Bug#327802: mozilla-firefox: Buffer overflow published on
security-protocols.com
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 12 Sep 2005 10:07:40 +0000
>From [EMAIL PROTECTED] Mon Sep 12 03:07:40 2005
Return-path: <[EMAIL PROTECTED]>
Received: from smtp-101-monday.nerim.net (kraid.nerim.net) [62.4.16.101]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EElDw-0006Ug-00; Mon, 12 Sep 2005 03:07:40 -0700
Received: from localhost (agurney.net1.nerim.net [62.212.118.80])
by kraid.nerim.net (Postfix) with ESMTP id 02C6C40EFD;
Mon, 12 Sep 2005 12:07:36 +0200 (CEST)
Received: from [192.168.74.106] (helo=merlin)
by localhost with smtp (Exim 3.36 #1 (Debian))
id 1EElDm-0000BT-00; Mon, 12 Sep 2005 12:07:30 +0200
Received: (nullmailer pid 27770 invoked by uid 1000);
Fri, 09 Sep 2005 17:47:48 -0000
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Alexandre Fayolle <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: mozilla-firefox: Buffer overflow published on security-protocols.com
X-Mailer: reportbug 3.17
Date: Fri, 09 Sep 2005 19:47:48 +0200
X-Debbugs-Cc: [EMAIL PROTECTED],
Debian Security Team <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-9.5 required=4.0 tests=BAYES_00,HAS_PACKAGE,
HTML_MESSAGE,X_DEBBUGS_CC autolearn=ham
version=2.60-bugs.debian.org_2005_01_02
Package: mozilla-firefox
Version: 1.0.6-4
Severity: grave
Tags: security
Justification: user security hole
I've seen this reported in LWN today, and checked that mozilla-firefox
in sid is affected. It is quite possible that the version in sarge is
vulnerable too, but I have no machine running sarge to check.
The vulnerability is published at
http://www.security-protocols.com/advisory/sp-x17-advisory.txt :
Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)
Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and
all other prior
versions which allows for an attacker to remotely execute arbitrary code
on a affected
host.
Technical Details:
The problem seems to be when a hostname which has all dashes causes the
NormalizeIDN
call in nsStandardURL::BuildNormalizedSpec to return true, but is sets
encHost to an
empty string. Meaning, Firefox appends 0 to approxLen and then appends
the long
string of dashes to the buffer instead. The following HTML code below
will reproduce
this issue:
<A HREF=https:--------------------------------------------- >
The page http://www.security-protocols.com/firefox-death.html contains
such a url and freezes firefox on my machine.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12-1-686
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages mozilla-firefox depends on:
ii debianutils 2.14.3 Miscellaneous utilities specific t
ii fontconfig 2.3.2-1 generic font configuration library
ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit
ii libc6 2.3.5-6 GNU C Library: Shared libraries an
ii libfontconfig1 2.3.2-1 generic font configuration library
ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.0.1-6 GCC support library
ii libglib2.0-0 2.8.0-1 The GLib library of C routines
ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface
ii libidl0 0.8.5-1 library for parsing CORBA IDL file
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
ii libpango1.0-0 1.8.2-1 Layout and rendering of internatio
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libstdc++6 4.0.1-6 The GNU Standard C++ Library v3
ii libx11-6 6.8.2.dfsg.1-6 X Window System protocol client li
ii libxext6 6.8.2.dfsg.1-6 X Window System miscellaneous exte
ii libxft2 2.1.7-1 FreeType-based font drawing librar
ii libxinerama1 6.8.2.dfsg.1-6 X Window System multi-head display
ii libxp6 6.8.2.dfsg.1-6 X Window System printing extension
ii libxt6 6.8.2.dfsg.1-6 X Toolkit Intrinsics
ii psmisc 21.6-1 Utilities that use the proc filesy
ii xlibs 6.8.2.dfsg.1-6 X Window System client libraries m
ii zlib1g 1:1.2.3-4 compression library - runtime
mozilla-firefox recommends no packages.
-- no debconf information
---------------------------------------
Received: (at 327802-done) by bugs.debian.org; 12 Sep 2005 11:25:11 +0000
>From [EMAIL PROTECTED] Mon Sep 12 04:25:11 2005
Return-path: <[EMAIL PROTECTED]>
Received: from aputeaux-153-1-59-39.w82-124.abo.wanadoo.fr
(namakemono.glandium.org) [82.124.13.39]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EEmQw-0004IQ-00; Mon, 12 Sep 2005 04:25:11 -0700
Received: from mh by namakemono.glandium.org with local (Exim 4.52)
id 1EEmQG-0007Cy-Vl; Mon, 12 Sep 2005 13:24:28 +0200
Date: Mon, 12 Sep 2005 13:24:28 +0200
From: Mike Hommey <[EMAIL PROTECTED]>
To: Alexandre Fayolle <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Subject: Re: Bug#327802: mozilla-firefox: Buffer overflow published on
security-protocols.com
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
X-GPG-Fingerprint: A479 A824 265C B2A5 FC54 8D1E DE4B DA2C 54FD 2A58
Organization: glandium.org
User-Agent: Mutt/1.5.10i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-4.5 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,
HTML_MESSAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02
Version: 1.0.6-5
Version: 1.4.99+1.5beta1-2
Please do not file duplicates. This is the same as #327452, and has
already been taken a care of.
Mike
On Fri, Sep 09, 2005 at 07:47:48PM +0200, Alexandre Fayolle <[EMAIL PROTECTED]>
wrote:
> Package: mozilla-firefox
> Version: 1.0.6-4
> Severity: grave
> Tags: security
> Justification: user security hole
>
> I've seen this reported in LWN today, and checked that mozilla-firefox
> in sid is affected. It is quite possible that the version in sarge is
> vulnerable too, but I have no machine running sarge to check.
>
> The vulnerability is published at
> http://www.security-protocols.com/advisory/sp-x17-advisory.txt :
>
> Versions Affected:
> Firefox Win32 1.0.6 and prior
> Firefox Linux 1.0.6 and prior
> Firefox 1.5 Beta 1 (Deer Park Alpha 2)
>
> Overview:
> A buffer overflow vulnerability exists within Firefox version 1.0.6 and
> all other prior
> versions which allows for an attacker to remotely execute arbitrary code
> on a affected
> host.
>
> Technical Details:
> The problem seems to be when a hostname which has all dashes causes the
> NormalizeIDN
> call in nsStandardURL::BuildNormalizedSpec to return true, but is sets
> encHost to an
> empty string. Meaning, Firefox appends 0 to approxLen and then appends
> the long
> string of dashes to the buffer instead. The following HTML code below
> will reproduce
> this issue:
>
> <A HREF=https:--------------------------------------------- >
>
>
> The page http://www.security-protocols.com/firefox-death.html contains
> such a url and freezes firefox on my machine.
>
> -- System Information:
> Debian Release: testing/unstable
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: i386 (i686)
> Shell: /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.12-1-686
> Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
>
> Versions of packages mozilla-firefox depends on:
> ii debianutils 2.14.3 Miscellaneous utilities specific
> t
> ii fontconfig 2.3.2-1 generic font configuration
> library
> ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit
> ii libc6 2.3.5-6 GNU C Library: Shared libraries
> an
> ii libfontconfig1 2.3.2-1 generic font configuration
> library
> ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared
> lib
> ii libgcc1 1:4.0.1-6 GCC support library
> ii libglib2.0-0 2.8.0-1 The GLib library of C routines
> ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user
> interface
> ii libidl0 0.8.5-1 library for parsing CORBA IDL
> file
> ii libjpeg62 6b-10 The Independent JPEG Group's
> JPEG
> ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries
> ii libpango1.0-0 1.8.2-1 Layout and rendering of
> internatio
> ii libpng12-0 1.2.8rel-1 PNG library - runtime
> ii libstdc++6 4.0.1-6 The GNU Standard C++ Library v3
> ii libx11-6 6.8.2.dfsg.1-6 X Window System protocol client
> li
> ii libxext6 6.8.2.dfsg.1-6 X Window System miscellaneous
> exte
> ii libxft2 2.1.7-1 FreeType-based font drawing
> librar
> ii libxinerama1 6.8.2.dfsg.1-6 X Window System multi-head
> display
> ii libxp6 6.8.2.dfsg.1-6 X Window System printing
> extension
> ii libxt6 6.8.2.dfsg.1-6 X Toolkit Intrinsics
> ii psmisc 21.6-1 Utilities that use the proc
> filesy
> ii xlibs 6.8.2.dfsg.1-6 X Window System client libraries
> m
> ii zlib1g 1:1.2.3-4 compression library - runtime
>
> mozilla-firefox recommends no packages.
>
> -- no debconf information
>
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
