Package: mozilla-firefox Version: 1.0.6-4 Severity: grave Tags: security Justification: user security hole
I've seen this reported in LWN today, and checked that mozilla-firefox in sid is affected. It is quite possible that the version in sarge is vulnerable too, but I have no machine running sarge to check. The vulnerability is published at http://www.security-protocols.com/advisory/sp-x17-advisory.txt : Versions Affected: Firefox Win32 1.0.6 and prior Firefox Linux 1.0.6 and prior Firefox 1.5 Beta 1 (Deer Park Alpha 2) Overview: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on a affected host. Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead. The following HTML code below will reproduce this issue: <A HREF=https:--------------------------------------------- > The page http://www.security-protocols.com/firefox-death.html contains such a url and freezes firefox on my machine. -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12-1-686 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages mozilla-firefox depends on: ii debianutils 2.14.3 Miscellaneous utilities specific t ii fontconfig 2.3.2-1 generic font configuration library ii libatk1.0-0 1.10.1-2 The ATK accessibility toolkit ii libc6 2.3.5-6 GNU C Library: Shared libraries an ii libfontconfig1 2.3.2-1 generic font configuration library ii libfreetype6 2.1.10-1 FreeType 2 font engine, shared lib ii libgcc1 1:4.0.1-6 GCC support library ii libglib2.0-0 2.8.0-1 The GLib library of C routines ii libgtk2.0-0 2.6.10-1 The GTK+ graphical user interface ii libidl0 0.8.5-1 library for parsing CORBA IDL file ii libjpeg62 6b-10 The Independent JPEG Group's JPEG ii libkrb53 1.3.6-5 MIT Kerberos runtime libraries ii libpango1.0-0 1.8.2-1 Layout and rendering of internatio ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libstdc++6 4.0.1-6 The GNU Standard C++ Library v3 ii libx11-6 6.8.2.dfsg.1-6 X Window System protocol client li ii libxext6 6.8.2.dfsg.1-6 X Window System miscellaneous exte ii libxft2 2.1.7-1 FreeType-based font drawing librar ii libxinerama1 6.8.2.dfsg.1-6 X Window System multi-head display ii libxp6 6.8.2.dfsg.1-6 X Window System printing extension ii libxt6 6.8.2.dfsg.1-6 X Toolkit Intrinsics ii psmisc 21.6-1 Utilities that use the proc filesy ii xlibs 6.8.2.dfsg.1-6 X Window System client libraries m ii zlib1g 1:1.2.3-4 compression library - runtime mozilla-firefox recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
