P-069: Sun - Multiple Mozilla Vulnerabilities

P-069: Sun - Multiple Mozilla Vulnerabilities Privacy and Legal Notice INFORMATION BULLETIN P-069: Sun - Multiple Mozilla Vulnerabilities [Sun Alert ID: 57701] December 17, 2004 00:00 GMT
[REVISED 14 Jan 2005]
[REVISED 27 Jan 2005]
[REVISED 15 Aug 2005]
[REVISED 17 Aug 2005]
[REVISED 13 Sep 2005]


PROBLEM:	Sun has released a T-patch for 17 security issues in Mozilla, such as: - buffer overflows - integer overflows - heap overflows - frame injections - redirect sequences - caching flaws - spoofing - access to sensitive information - execution of arbitrary code
PLATFORM:	SPARC Platform - Solaris 8 - Solaris 9 x86 Platform - Solaris 8 - Solaris 9 Linux - Sun Java Desktop System (JDS) 2003 - Sun Java Desktop System (JDS) Release 2 without the updated RPMs (patch-118492-02) Note: Solaris 7 is not affected by these issues. The described issues only occur with the following Mozilla versions: - mozilla-1.4.1-221 or earlier - mozilla-mail-1.4.1-223 or earlier Red Hat Enterprise Linux AS, ES, WS (v. 2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.1 (sarge)
DAMAGE:	Buffer overflows. Arbitrary code executions. Trusted web site certification spoofs. And other various issues.
SOLUTION:	Apply the T-patch for Solaris 9, or the patch for the Sun Java Desktop System (JDS) Release 2. Sun's final resolution is pending completion.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. This rating is based on the security issue of most concern: buffer overflows that could allow execution of arbitrary code as the user running the browser. There are several more issues that are fixed in the patch releases. Details can be found on the Sun Alert #57701.

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/p-069.shtml
ORIGINAL BULLETIN:	http://sunsolve.sun.com/search/document.do?assetkey=1-26-57701-1&searchclause=security
ADDITIONAL LINKS:	Also see CIAC BULLETINS O-195, O-222, and P-001.
	Red Hat RHSA-2005:004-12 https://rhn.redhat.com/errata/RHSA-2005-004.html Debian Security Advisory http://www.debian.org/security/2005/dsa-775 Debian Security Advisory http://www.debian.org/security/2005/dsa-777 Debian Security Advisory http://www.debian.org/security/2005/dsa-810
CVE/CAN:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2004-0687 CAN-2004-0718 CAN-2004-0722 CAN-2004-0757 CAN-2004-0758 CAN-2004-0760 CAN-2004-0761 CAN-2004-0762 CAN-2004-0763 CAN-2004-0764 CAN-2004-0765

REVISION HISTORY:
01/14/2005 - added a ink to Red Hat RHSA-2005:004-12 for Red Hat Enterprise 
             Linux AS, ES, WS (v. 2.1) and Red Hat Linux Advanced Workstation
             2.1 for the Itanium Processor.
01/27/2005 - revised to reflect changes Sun has made to Sun Alert ID: 57701 in 
             the State Section and Contributing Factors and Resolution sections 
             of their bulletin.			
08/15/2005 - added link to Debian Security Advisory DSA-775 that provides updated 
             packages for Debian GNU/Linux 3.1 (sarge). 
08/17/2005 - added link to Debian Security Advisory DSA-777 that provides updated 
             packages for Debian GNU/Linux 3.1 (sarge). 
09/13/2005 - added link to Debian Security Advisory DSA-810 that provides updated 
             packages for Debian GNU/Linux 3.1 (sarge).
			 
			 
[***** Start Sun Alert ID: 57701 *****]

Document Audience: PUBLIC 
Document ID: 57701 
Title: Document ID 57701 
Synopsis: Multiple Security Vulnerabilities in Mozilla  
Update Date: 2005-01-26

-----------------------------------------------------------------------------
Description 
Sun(sm) Alert Notification 
Sun Alert ID: 57701 
Synopsis: Multiple Security Vulnerabilities in Mozilla 
Category: Security 
Product: Solaris, Java Desktop System (JDS) 
BugIDs: 5090528, 5090529, 5090530, 5090583, 5091014, 5091109, 5091115, 
        5091116, 5091120, 5091123, 5091146, 5108583, 5108586, 5108587, 
        5108590, 5108591, 5108588 
Avoidance: Patch
State: Resolved 
Date Released: 14-Dec-2004, 23-Dec-2004 
Date Closed: 12-Jan-2005
Date Modified: 23-Dec-2004, 14-Jan-2005


1. Impact 
Multiple security vulnerabilities in Mozilla may result in one 
or more of the following issues: 

1. A buffer overflow exists that may allow a a remote unprivileged user the 
ability to execute arbitrary code with the privileges of a local user when 
that local user has loaded a Portable Network Graphics (PNG) format image 
file supplied by an untrusted remote user. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0687 

2. An integer overflow and a heap corruption exists in JavaScript that may 
allow an unprivileged user the ability to execute arbitrary code with the 
privileges of a local user running Mozilla. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722 

3. A heap overflow exists that could allow a malicious POP3 server to send 
a carefully crafted response that may allow a remote unprivileged user the 
ability to execute arbitrary code with the privileges of a local user 
running Mozilla. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0757 

4. Additional heap overflows and double frees exist that could allow a 
malicious POP3 server to send a carefully crafted response that may cause 
a Denial of Service (DOS) attack for the client or may allow a remote 
unprivileged user the ability to execute arbitrary code with the privileges 
of the local user running Mozilla. 

This issue is described in the following document: 

https://bugzilla.mozilla.org/show_bug.cgi?id=245066 

5. It may be possible to import an invalid CA certificate with a Domain 
Name the same as that of the built-in CA root certificates. This could 
cause a denial of service (DOS) to SSL pages. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0758
 
6. By using a NULL character (%00) in a FTP URL, Mozilla can be confused 
into opening a resource as a different MIME type. This may allow an 
unprivileged user to gain the privileges of a local user running Mozilla. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0760 

7. Mozilla may allow a malicious website to inject content into a frame. 
This flaw is also known as the "frame injection" vulnerability. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0718 

8. Mozilla may allow a malicious webpage to use a redirect sequence to 
spoof the security lock icon thus causing the webpage to appear to be 
encrypted. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0761
 
9. Mozilla may allow malicious websites to install arbitrary extensions 
by using interactive events to manipulate the "XP Install Security" dialog 
box. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0762 

10. Mozilla contains a caching flaw which may allow malicious websites to 
spoof certificates of trusted websites via redirects and Javascript that 
uses the "onunload" method. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0763
 
11. Mozilla contains a flaw that allows malicious websites to hijack the 
user interface via the "chrome" flag and XML User Interface Language (XUL) 
files. 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0764 

12. Mozilla may allow a malicious website to spoof Mozilla into thinking it 
was accessing a trusted host. This is due to a flaw when verifying a 
certificate where as the hostname checked is not the fully qualified 
domain name (FQDN). 

This issue is described in the following document: 

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0765 

13. Mozilla contains a flaw that could allow malicious javascript to obtain 
or modify sensitive information from secure sites by dragging links onto 
other frames or pages. 

This issue is described in the following document: 

https://bugzilla.mozilla.org/show_bug.cgi?id=250862 

14. An integer overflow exists that may allow a remote unprivileged user to 
execute arbitrary code with the privileges of a local user when that local 
user has loaded an extremely wide Bitmap (.bmp) format image file supplied 
by an untrusted user. 

This issue is described in the following document: 

https://bugzilla.mozilla.org/show_bug.cgi?id=255067 

15. Mozilla contains a flaw that could allow malicious javascript code to 
read and write sensitive data that the user might have copied into the 
clipboard. 

This issue is described in the following document: 

https://bugzilla.mozilla.org/show_bug.cgi?id=257523 

16. A heap overflow exists in the "send page" function that may allow a 
remote unprivileged user the ability to execute arbitrary code with the 
privileges of a local user when that user attempts to forward content to 
others. 

This issue is described in the following document: 

https://bugzilla.mozilla.org/show_bug.cgi?id=258005 

17. A buffer overflow exists when displaying VCards that may allow a remote 
unprivileged user the ability to execute arbitrary code with the privileges 
of a local user. 

This issue is described in the following document: 

https://bugzilla.mozilla.org/show_bug.cgi?id=257314 


2. Contributing Factors These issues can occur on the following platforms: 

SPARC Platform 

Solaris 8 without patch 117765-02
Solaris 9 without patch 117767-02

x86 Platform 

Solaris 8 without patch 117766-02
Solaris 9 without patch 117768-02

Linux 

Sun Java Desktop System (JDS) 2003 
Sun Java Desktop System (JDS) Release 2 without the updated RPMs 
(patch-118492-02) 

Note: Solaris 7 is not affected by these issues. 

The described issues only occur with the following Mozilla versions: 

mozilla-1.4.1-221 or earlier 
mozilla-mail-1.4.1-223 or earlier 

To determine the version of Mozilla installed on a system, the following 
command can be used: 

    % /usr/sfw/bin/mozilla -version
      Mozilla 1.4, (Sun Java Desktop System; Solaris), build 2004041404                                                            
	  
To determine the release of JDS for Linux installed on a system, the 
following command can be used: 

    % cat /etc/sun-release    
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004   
	
To determine the version of Mozilla for Linux, run the following command 
on JDS: 

    % rpm -qf /usr/bin/mozilla /usr/lib/mozilla-1.4/components/libmsgnews.so
    mozilla-1.4.1-221
    mozilla-mail-1.4.1-223                              
	
3. Symptoms There are no predictable symptoms that would indicate the 
described issues have been exploited. 

Solution Summary 
 
4. Relief/Workaround There is no workaround.  Please see the "Resolution"
section below.

5. Resolution These issues are addressed in the following release: 

SPARC Platform

Solaris 8 with patch 117765-02 or later
Solaris 9 with patch 117767-02 or later

x86 Platform

Solaris 8 with patch 117766-02 or later
Solaris 9 with patch 117768-02 or later

Linux

Sun Java Desktop System (JDS) 2003 with patch 118937-01 or later
Sun Java Desktop System (JDS) Release 2 with the updated RPMs (patch-118492-02) 


To download and install the updated RPMs from the update servers select 
the following from the launch bar: 

    Launch >> Applications >> System Tools >> Online Update                                                
	

For more information on obtaining updates see: 

http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5 
http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7 

A final resolution is pending completion for Sun Java Desktop System (JDS) 2003

Change History 23-Dec-2004:

Updated Contributing Factors and Resolution sections

14-Jan-2005:

State:  Resolved
Updated Contributing Factors and Resolution sections


This Sun Alert notification is being provided to you on an "AS IS" basis. 
This Sun Alert notification may contain information provided by third 
parties. The issues described in this Sun Alert notification may or may 
not impact your system(s). Sun makes no representations, warranties, or 
guarantees as to the information contained herein. ANY AND ALL WARRANTIES, 
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF 
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, 
ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT 
SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE 
TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification 
contains Sun proprietary and confidential information. It is being provided 
to you pursuant to the provisions of your agreement to purchase services 
from Sun, or, if you do not have such an agreement, the Sun.com Terms of 
Use. This Sun Alert notification may only be used for the purposes 
contemplated by these agreements. 

Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, 
Santa Clara, CA 95054 U.S.A. All rights reserved.

[***** End Sun Alert ID: 57701 *****]

CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]