CVE-2005-0255
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:19:44
NMCOPS    

[原文]String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption.


[CNNVD]Mozilla Firefox和Mozilla浏览器字符串处理堆破坏漏洞(CNNVD-200505-034)

        Mozilla是一款开放源码的Web浏览器。
        Mozilla 1.7.3和Firefox 1.0中的实现中存在漏洞,远程利用漏洞可能允许攻击者导致堆破坏,造成执行任意代码。
        漏洞存在于依赖mozilla/xpcom/string/src/nsTSubstring.cpp文件中函数的字符串处理函数(如nsCSubstring::Append)中。某些函数(如nsTSubstring_CharT::Replace())不能检查重新划定字符串大小函数的返回值。
        xpcom/string/src/nsTSubstring.cpp:
        [1] size_type length = tuple.Length();
         cutStart = PR_MIN(cutStart, Length());
        [2] ReplacePrep(cutStart, cutLength, length);
        [3] if (length > 0)
         tuple.WriteTo(mData + cutStart, length);
        在[1]中,长度被设置为将要拷贝的字符串的长度,并于[2]传送给ReplacePrep()。如果这个函数执行的重新分配失败,则将mData设为固定的地址。
         mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
         mLength = 0;
        xpcom/string/src/nsSubstring.cpp中设置了sEmptyBuffer的值:
        static const PRUnichar gNullChar = 0;
        const char* nsCharTraits ::sEmptyBuffer = (const char*) &gNullChar;
        因为没有检查返回值,如果函数失效的话,mData就指向已知的内存位置。通过导致内存消耗直到出现内存耗尽的情况出现,并控制要附加的字符串的值,就可能在[3]导致在已知位置放置任意数据,允许执行任意代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:thunderbird:0.8Mozilla Thunderbird 0.8
cpe:/a:mozilla:thunderbird:0.5Mozilla Thunderbird 0.5
cpe:/a:mozilla:thunderbird:0.2Mozilla Thunderbird 0.2
cpe:/a:mozilla:thunderbird:0.7Mozilla Thunderbird 0.7
cpe:/a:mozilla:thunderbird:0.6Mozilla Thunderbird 0.6
cpe:/a:mozilla:thunderbird:0.4Mozilla Thunderbird 0.4
cpe:/a:mozilla:thunderbird:0.3Mozilla Thunderbird 0.3
cpe:/a:mozilla:firefox:1.0Mozilla Firefox 1.0
cpe:/a:mozilla:thunderbird:1.0Mozilla Thunderbird 1.0
cpe:/a:mozilla:thunderbird:0.9Mozilla Thunderbird 0.9
cpe:/a:mozilla:mozilla:1.7.3Mozilla Mozilla 1.7.3
cpe:/a:mozilla:thunderbird:0.1Mozilla Thunderbird 0.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9111The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determin...
oval:org.mitre.oval:def:100040Mozilla String Library Memory Overwrite Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0255
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0255
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-034
(官方数据源) CNNVD

- 其它链接及资源

http://www.redhat.com/support/errata/RHSA-2005-337.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:337
http://www.redhat.com/support/errata/RHSA-2005-277.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:277
http://www.novell.com/linux/security/advisories/2005_16_mozilla_firefox.html
(VENDOR_ADVISORY)  SUSE  SUSE-SA:2005:016
http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050228 Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error
http://www.gentoo.org/security/en/glsa/glsa-200503-30.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200503-30
http://www.gentoo.org/security/en/glsa/glsa-200503-10.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200503-10
http://www.novell.com/linux/security/advisories/2006_04_25.html
(UNKNOWN)  SUSE  SUSE-SA:2006:004
http://www.mozilla.org/security/announce/mfsa2005-18.html
(VENDOR_ADVISORY)  CONFIRM  http://www.mozilla.org/security/announce/mfsa2005-18.html
http://www.securityfocus.com/bid/12659
(UNKNOWN)  BID  12659
http://www.redhat.com/support/errata/RHSA-2005-176.html
(UNKNOWN)  REDHAT  RHSA-2005:176
http://www.novell.com/linux/security/advisories/2006_04_25.html
(UNKNOWN)  SUSE  SUSE-SA:2006:004
http://secunia.com/advisories/19823
(UNKNOWN)  SECUNIA  19823

- 漏洞信息

Mozilla Firefox和Mozilla浏览器字符串处理堆破坏漏洞
中危 资料不足
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Mozilla是一款开放源码的Web浏览器。
        Mozilla 1.7.3和Firefox 1.0中的实现中存在漏洞,远程利用漏洞可能允许攻击者导致堆破坏,造成执行任意代码。
        漏洞存在于依赖mozilla/xpcom/string/src/nsTSubstring.cpp文件中函数的字符串处理函数(如nsCSubstring::Append)中。某些函数(如nsTSubstring_CharT::Replace())不能检查重新划定字符串大小函数的返回值。
        xpcom/string/src/nsTSubstring.cpp:
        [1] size_type length = tuple.Length();
         cutStart = PR_MIN(cutStart, Length());
        [2] ReplacePrep(cutStart, cutLength, length);
        [3] if (length > 0)
         tuple.WriteTo(mData + cutStart, length);
        在[1]中,长度被设置为将要拷贝的字符串的长度,并于[2]传送给ReplacePrep()。如果这个函数执行的重新分配失败,则将mData设为固定的地址。
         mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
         mLength = 0;
        xpcom/string/src/nsSubstring.cpp中设置了sEmptyBuffer的值:
        static const PRUnichar gNullChar = 0;
        const char* nsCharTraits ::sEmptyBuffer = (const char*) &gNullChar;
        因为没有检查返回值,如果函数失效的话,mData就指向已知的内存位置。通过导致内存消耗直到出现内存耗尽的情况出现,并控制要附加的字符串的值,就可能在[3]导致在已知位置放置任意数据,允许执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.mozilla.org/security/announce/mfsa2005-18.html/

- 漏洞信息 (F36810)

Gentoo Linux Security Advisory 200503-32 (PacketStormID:F36810)
2005-03-25 00:00:00
Gentoo  security.gentoo.org
advisory,remote,arbitrary
linux,gentoo
CVE-2005-0255,CVE-2005-0399,CVE-2005-0590,CVE-2005-0592
[点击下载]

Gentoo Linux Security Advisory GLSA 200503-32 - Mozilla Thunderbird is vulnerable to multiple issues, including the remote execution of arbitrary code through malicious GIF images. Versions less than 1.0.2 are affected.

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF5AD26B667BACDB05259BF53
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200503-32
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla Thunderbird: Multiple vulnerabilities
      Date: March 25, 2005
      Bugs: #84075
        ID: 200503-32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Mozilla Thunderbird is vulnerable to multiple issues, including the
remote execution of arbitrary code through malicious GIF images.

Background
==========

Mozilla Thunderbird is the next-generation mail client from the Mozilla
project.

Affected packages
=================

    -------------------------------------------------------------------
     Package                  /  Vulnerable  /              Unaffected
    -------------------------------------------------------------------
  1  mozilla-thunderbird           < 1.0.2                    >= 1.0.2
  2  mozilla-thunderbird-bin       < 1.0.2                    >= 1.0.2
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

The following vulnerabilities were found and fixed in Mozilla
Thunderbird:

* Mark Dowd from ISS X-Force reported an exploitable heap overrun in
  the GIF processing of obsolete Netscape extension 2 (CAN-2005-0399)

* Daniel de Wildt and Gael Delalleau discovered a memory overwrite in
  a string library (CAN-2005-0255)

* Wind Li discovered a possible heap overflow in UTF8 to Unicode
  conversion (CAN-2005-0592)

* Phil Ringnalda reported a possible way to spoof Install source with
  user:pass@host (CAN-2005-0590)

Impact
======

The GIF heap overflow could be triggered by a malicious GIF image that
would end up executing arbitrary code with the rights of the user
running Thunderbird. The other overflow issues, while not thought to be
exploitable, would have the same impact. Furthermore, by setting up
malicious websites and convincing users to follow untrusted links,
attackers may leverage the spoofing issue to trick user into installing
malicious extensions.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Thunderbird users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
">=mail-client/mozilla-thunderbird-1.0.2"

All Mozilla Thunderbird binary users should upgrade to the latest
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose
">=mail-client/mozilla-thunderbird-bin-1.0.2"

References
==========

  [ 1 ] CAN-2005-0255
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0255
  [ 2 ] CAN-2005-0399
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399
  [ 3 ] CAN-2005-0590
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590
  [ 4 ] CAN-2005-0592
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0592
  [ 5 ] Mozilla Security Advisories
        http://www.mozilla.org/projects/security/known-vulnerabilities.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200503-32.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


--------------enigF5AD26B667BACDB05259BF53
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCRBBhvcL1obalX08RAmXOAJ9gXU0Ee1y1Ewz7b4C4gVRtlvmE6gCcDrC/
kU1gVYOtAl2/x/XgJry8AG0=
=j7qA
-----END PGP SIGNATURE-----

--------------enigF5AD26B667BACDB05259BF53--
    

- 漏洞信息 (F36809)

Gentoo Linux Security Advisory 200503-30 (PacketStormID:F36809)
2005-03-25 00:00:00
Gentoo  security.gentoo.org
advisory,remote,web,arbitrary
linux,gentoo
CVE-2004-1156,CVE-2005-0230,CVE-2005-0231,CVE-2005-0232,CVE-2005-0233,CVE-2005-0255,CVE-2005-0399,CVE-2005-0401,CVE-2005-0527,CVE-2005-0578,CVE-2005-0584,CVE-2005-0585,CVE-2005-0588,CVE-2005-0590,CVE-2005-0591,CVE-2005-0592,CVE-2005-0593
[点击下载]

Gentoo Linux Security Advisory GLSA 200503-30 - The Mozilla Suite is vulnerable to multiple issues ranging from the remote execution of arbitrary code to various issues allowing to trick the user into trusting fake web sites or interacting with privileged content. Versions less than 1.7.6 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200503-30
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla Suite: Multiple vulnerabilities
      Date: March 25, 2005
      Bugs: #84074
        ID: 200503-30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The Mozilla Suite is vulnerable to multiple issues ranging from the
remote execution of arbitrary code to various issues allowing to trick
the user into trusting fake web sites or interacting with privileged
content.

Background
==========

The Mozilla Suite is a popular all-in-one web browser that includes a
mail and news reader.

Affected packages
=================

    -------------------------------------------------------------------
     Package                 /  Vulnerable  /               Unaffected
    -------------------------------------------------------------------
  1  www-client/mozilla           < 1.7.6                     >= 1.7.6
  2  www-client/mozilla-bin       < 1.7.6                     >= 1.7.6
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

The following vulnerabilities were found and fixed in the Mozilla
Suite:

* Mark Dowd from ISS X-Force reported an exploitable heap overrun in
  the GIF processing of obsolete Netscape extension 2 (CAN-2005-0399)

* Michael Krax reported that plugins can be used to load privileged
  content and trick the user to interact with it (CAN-2005-0232,
  CAN-2005-0527)

* Michael Krax also reported potential spoofing or
  cross-site-scripting issues through overlapping windows, image or
  scrollbar drag-and-drop, and by dropping javascript: links on tabs
  (CAN-2005-0230, CAN-2005-0231, CAN-2005-0401, CAN-2005-0591)

* Daniel de Wildt and Gael Delalleau discovered a memory overwrite in
  a string library (CAN-2005-0255)

* Wind Li discovered a possible heap overflow in UTF8 to Unicode
  conversion (CAN-2005-0592)

* Eric Johanson reported that Internationalized Domain Name (IDN)
  features allow homograph attacks (CAN-2005-0233)

* Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various
  ways of spoofing the SSL "secure site" indicator (CAN-2005-0593)

* Georgi Guninski discovered that XSLT can include stylesheets from
  arbitrary hosts (CAN-2005-0588)

* Secunia discovered a way of injecting content into a popup opened
  by another website (CAN-2004-1156)

* Phil Ringnalda reported a possible way to spoof Install source with
  user:pass@host (CAN-2005-0590)

* Jakob Balle from Secunia discovered a possible way of spoofing the
  Download dialog source (CAN-2005-0585)

* Christian Schmidt reported a potential spoofing issue in HTTP auth
  prompt tab (CAN-2005-0584)

* Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team
  discovered that Mozilla insecurely creates temporary filenames in
  /tmp/plugtmp (CAN-2005-0578)

Impact
======

* The GIF heap overflow could be triggered by a malicious GIF image
  that would end up executing arbitrary code with the rights of the
  user running Mozilla. The other overflow issues, while not thought to
  be exploitable, would have the same impact

* By setting up malicious websites and convincing users to follow
  untrusted links or obey very specific drag-and-drop or download
  instructions, attackers may leverage the various spoofing issues to
  fake other websites to get access to confidential information, push
  users to download malicious files or make them interact with their
  browser preferences

* The temporary directory issue allows local attackers to overwrite
  arbitrary files with the rights of another local user

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Mozilla Suite users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-1.7.6"

All Mozilla Suite binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=www-client/mozilla-bin-1.7.6"

References
==========

  [ 1 ] CAN-2004-1156
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156
  [ 2 ] CAN-2005-0230
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0230
  [ 3 ] CAN-2005-0231
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231
  [ 4 ] CAN-2005-0232
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232
  [ 5 ] CAN-2005-0233
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0233
  [ 6 ] CAN-2005-0255
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0255
  [ 7 ] CAN-2005-0399
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399
  [ 8 ] CAN-2005-0401
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0401
  [ 9 ] CAN-2005-0527
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527
  [ 10 ] CAN-2005-0578
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0578
  [ 11 ] CAN-2005-0584
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584
  [ 12 ] CAN-2005-0585
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0585
  [ 13 ] CAN-2005-0588
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0588
  [ 14 ] CAN-2005-0590
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590
  [ 15 ] CAN-2005-0591
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0591
  [ 16 ] CAN-2005-0592
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0592
  [ 17 ] CAN-2005-0593
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0593
  [ 18 ] Mozilla Security Advisories
         http://www.mozilla.org/projects/security/known-vulnerabilities.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200503-30.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F36472)

Gentoo Linux Security Advisory 200503-10 (PacketStormID:F36472)
2005-03-07 00:00:00
Gentoo  security.gentoo.org
advisory,web,local
linux,gentoo
CVE-2004-1156,CVE-2005-0230,CVE-2005-0231,CVE-2005-0232,CVE-2005-0233,CVE-2005-0255,CVE-2005-0527,CVE-2005-0578,CVE-2005-0584,CVE-2005-0585,CVE-2005-0586,CVE-2005-0588,CVE-2005-0589,CVE-2005-0590,CVE-2005-0591,CVE-2005-0592,CVE-2005-0593
[点击下载]

Gentoo Linux Security Advisory GLSA 200503-10 - Mozilla Firefox is vulnerable to a local file deletion issue and to various issues allowing to trick the user into trusting fake web sites or interacting with privileged content.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200503-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla Firefox: Various vulnerabilities
      Date: March 04, 2005
      Bugs: #83267
        ID: 200503-10

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Mozilla Firefox is vulnerable to a local file deletion issue and to
various issues allowing to trick the user into trusting fake web sites
or interacting with privileged content.

Background
==========

Mozilla Firefox is the popular next-generation browser from the Mozilla
project.

Affected packages
=================

    -------------------------------------------------------------------
     Package                      /  Vulnerable  /          Unaffected
    -------------------------------------------------------------------
  1  net-www/mozilla-firefox           < 1.0.1                >= 1.0.1
  2  net-www/mozilla-firefox-bin       < 1.0.1                >= 1.0.1
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

The following vulnerabilities were found and fixed in Mozilla Firefox:

* Michael Krax reported that plugins can be used to load privileged
  content and trick the user to interact with it (CAN-2005-0232,
  CAN-2005-0527)

* Michael Krax also reported potential spoofing or
  cross-site-scripting issues through overlapping windows, image
  drag-and-drop, and by dropping javascript: links on tabs
  (CAN-2005-0230, CAN-2005-0231, CAN-2005-0591)

* Daniel de Wildt and Gael Delalleau discovered a memory overwrite in
  a string library (CAN-2005-0255)

* Wind Li discovered a possible heap overflow in UTF8 to Unicode
  conversion (CAN-2005-0592)

* Eric Johanson reported that Internationalized Domain Name (IDN)
  features allow homograph attacks (CAN-2005-0233)

* Mook, Doug Turner, Kohei Yoshino and M. Deaudelin reported various
  ways of spoofing the SSL "secure site" indicator (CAN-2005-0593)

* Matt Brubeck reported a possible Autocomplete data leak
  (CAN-2005-0589)

* Georgi Guninski discovered that XSLT can include stylesheets from
  arbitrary hosts (CAN-2005-0588)

* Secunia discovered a way of injecting content into a popup opened
  by another website (CAN-2004-1156)

* Phil Ringnalda reported a possible way to spoof Install source with
  user:pass@host (CAN-2005-0590)

* Jakob Balle from Secunia discovered a possible way of spoofing the
  Download dialog source (CAN-2005-0585)

* Christian Schmidt reported a potential spoofing issue in HTTP auth
  prompt tab (CAN-2005-0584)

* Andreas Sanblad from Secunia discovered a possible way of spoofing
  the Download dialog using the Content-Disposition header
  (CAN-2005-0586)

* Finally, Tavis Ormandy of the Gentoo Linux Security Audit Team
  discovered that Firefox insecurely creates temporary filenames in
  /tmp/plugtmp (CAN-2005-0578)

Impact
======

* By setting up malicious websites and convincing users to follow
  untrusted links or obey very specific drag-and-drop or download
  instructions, attackers may leverage the various spoofing issues to
  fake other websites to get access to confidential information, push
  users to download malicious files or make them interact with their
  browser preferences.

* The temporary directory issue allows local attackers to overwrite
  arbitrary files with the rights of another local user.

* The overflow issues, while not thought to be exploitable, may allow
  a malicious downloaded page to execute arbitrary code with the rights
  of the user viewing the page.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Firefox users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-www/mozilla-firefox-1.0.1"

All Firefox binary users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-www/mozilla-firefox-bin-1.0.1"

References
==========

  [ 1 ] CAN-2004-1156
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1156
  [ 2 ] CAN-2005-0230
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0230
  [ 3 ] CAN-2005-0231
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0231
  [ 4 ] CAN-2005-0232
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0232
  [ 5 ] CAN-2005-0233
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0233
  [ 6 ] CAN-2005-0255
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0255
  [ 7 ] CAN-2005-0527
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0527
  [ 8 ] CAN-2005-0578
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0578
  [ 9 ] CAN-2005-0584
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584
  [ 10 ] CAN-2005-0585
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0585
  [ 11 ] CAN-2005-0586
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0586
  [ 12 ] CAN-2005-0588
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0588
  [ 13 ] CAN-2005-0589
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0589
  [ 14 ] CAN-2005-0590
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0590
  [ 15 ] CAN-2005-0591
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0591
  [ 16 ] CAN-2005-0592
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0592
  [ 17 ] CAN-2005-0593
         http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0593
  [ 18 ] Mozilla Security Advisories
         http://www.mozilla.org/projects/security/known-vulnerabilities.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200503-10.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息 (F36360)

iDEFENSE Security Advisory 2005-02-28.1 (PacketStormID:F36360)
2005-02-28 00:00:00
iDefense Labs  idefense.com
advisory,remote,arbitrary
CVE-2005-0255
[点击下载]

iDEFENSE Security Advisory 02.28.05 - Remote exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 may allow an attacker to cause heap corruption, resulting in execution of arbitrary code.

Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design 
Error

iDEFENSE Security Advisory 02.28.05
www.idefense.com/application/poi/display?id=200&type=vulnerabilities
February 28, 2005

I. BACKGROUND

Mozilla is an open-source web browser, designed for standards 
compliance, performance and portability. Further information about the 
browser is available at:

    http://www.mozilla.org

II. DESCRIPTION

Remote exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 
may allow an attacker to cause heap corruption, resulting in execution 
of arbitrary code.

The vulnerability specifically exists in string handling functions, 
such as nsCSubstring::Append, which rely on functions in the file 
mozilla/xpcom/string/src/nsTSubstring.cpp. Certain functions, such as 
nsTSubstring_CharT::Replace() fail to check the return value of
functions which resize the string.

xpcom/string/src/nsTSubstring.cpp:

[1] size_type length = tuple.Length();

    cutStart = PR_MIN(cutStart, Length());

[2] ReplacePrep(cutStart, cutLength, length);

[3] if (length > 0)
      tuple.WriteTo(mData + cutStart, length);


At [1], length is set to the length of the string to be copied, which
is the passed to ReplacePrep() at [2]. If the reallocation performed by
this function fails sets mData to a fixed address.

            mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
            mLength = 0;

The value of sEmptyBuffer is set in xpcom/string/src/nsSubstring.cpp:

static const PRUnichar gNullChar = 0;

const char*      nsCharTraits<char>     ::sEmptyBuffer = (const char*) &gNullChar;

As the return value is not checked, if the function fails mData is
pointing at a known memory location. By causing memory to be consumed
until an out of memory condition occurs, and controlling the value of
the string to append, it is possible at [3] to cause arbitrary data to
be placed is a known location, allowing execution of arbitrary code.

This vulnerability would rely on both knowing the version of the
browser, which could be obtained from the User-Agent string passed to a
malicious server, and being able to cause memory exhaustion. It may be
possible to cause memory exhaustion remotely by either sending a large
amount of data to the client in the headers, which would require a large
amount of bandwidth or by using compression to reduce the amount of data
that needs to be sent to the client, either via a server module like the
Apache httpd mod_deflate, or a file such as a ZIP file referenced by a
jar: URI. It also may be possible to use a javascript to allocate enough
memory to trigger this vulnerability.

As this vulnerability is triggered in an out of memory condition, it may
be easier to exploit on systems which have restricted the amount of
memory a user or process may use.

III. ANALYSIS

Remote exploitation of this vulnerability may allow execution of 
arbitrary code with the privileges of the logged in user. A failed 
exploitation attempt may result in the browser crashing.

IV. DETECTION

iDEFENSE Labs have confirmed The Mozilla Organization's Mozilla 1.7.1 
and 1.7.3, as well as Firefox 0.10.1 are vulnerable to this
issue. A check on the source code for Firefox 1.0 suggests it is also
vulnerable. It is suspected that all previous versions of both browsers
are vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this 
vulnerability.

VI. VENDOR RESPONSE

Vendor advisory:
   http://www.mozilla.org/security/announce/mfsa2005-18.html

Raw bug report:
   https://bugzilla.mozilla.org/show_bug.cgi?id=277549

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0255 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/09/2005  Initial vendor notification
02/09/2005  Initial vendor response
02/28/2005  Coordinated public disclosure

IX. CREDIT

Ga    

- 漏洞信息

14195
Mozilla Multiple Products MutatePrep string Library Overflow
Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-01-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mozilla Suite Multiple Remote Vulnerabilities
Unknown 12659
Yes No
2005-02-25 12:00:00 2007-01-25 04:21:00
Tavis Ormandy <taviso@sdf.lonestar.org>, Andreas Sanblad, Masayuki Nakano (Mozilla Japan) <masayuki@d-toybox.com>, Georgi Guninski <guninski@guninski.com>, Matt Brubeck Daniel de Wildt, Gaël Delalleau, Phil Ringnalda <bugzilla@philringnalda.com>, wind l

- 受影响的程序版本

SGI ProPack 3.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Netscape Netscape 7.2
Netscape Netscape 7.1
Netscape Netscape 7.0
Mozilla Thunderbird 1.0
Mozilla Thunderbird 0.9
Mozilla Thunderbird 0.8
Mozilla Thunderbird 0.7.3
Mozilla Thunderbird 0.7.2
Mozilla Thunderbird 0.7.1
Mozilla Thunderbird 0.7
Mozilla Thunderbird 0.6
Mozilla Firefox 1.0
+ Gentoo Linux
+ Gentoo Linux
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2 x86_64
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.2
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1 x86_64
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.1
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0 x86_64
+ S.u.S.E. Linux Personal 9.0
+ S.u.S.E. Linux Personal 9.0
+ Slackware Linux 10.1
+ Slackware Linux 10.0
+ Slackware Linux 10.0
+ Slackware Linux 9.1
+ Slackware Linux 9.1
+ Slackware Linux -current
+ Slackware Linux -current
Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox 0.8
Mozilla Browser 1.7.5
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6
+ HP Tru64 5.1 A PK6
Mozilla Browser 1.7.4
Mozilla Browser 1.7.3
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6
+ HP Tru64 5.1 A PK6
Mozilla Browser 1.7.2
Mozilla Browser 1.7.1
Mozilla Browser 1.7
HP HP-UX B.11.23
HP HP-UX B.11.22
HP HP-UX B.11.11
HP HP-UX B.11.00
Gentoo Linux
Netscape Netscape 8.0
Mozilla Thunderbird 1.0.1
Mozilla Firefox 1.0.1
+ Red Hat Fedora Core3
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0

- 不受影响的程序版本

Netscape Netscape 8.0
Mozilla Thunderbird 1.0.1
Mozilla Firefox 1.0.1
+ Red Hat Fedora Core3
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0

- 漏洞讨论

Multiple remote vulnerabilities affect Mozilla Suite, Firefox, and Thunderbird, as reported in several Mozilla Foundation Security Advisories:

- 2005-28: An issue affecting the plugin functionality; temporary directories are created in an insecure manner.
- 2005-22: A dialog-spoofing vulnerability.
- 2005-21: A '.lnk' link file arbitrary file-overwrite vulnerability.
- 2005-20: An XSLT stylesheet information-disclosure vulnerability.
- 2005-19: An information-disclosure issue affecting the form auto-complete functionality.
- 2005-18: A buffer-overflow vulnerability.
- 2005-17: A dialog-spoofing vulnerability affecting installation confirmation.
- 2005-15: A heap-overflow vulnerability in UTF8 encoding.
- 2005-15: Multiple spoofing vulnerabilities affecting the SSL 'secure site' lock icon.

An attacker may leverage these issues to spoof dialog boxes and SSL 'secure site' icons, to carry out symbolic-link attacks, to execute arbitrary code, and to access potentially sensitive information.

Please note that this BID will be separated into individual BIDs as soon as further research into each of the vulnerabilities is completed, at which time this 'umbrella' BID will be retired.

- 漏洞利用


For most of these issues, an exploit is not required to carry out an attack. For the issues that require an exploit, we are currently unaware of any. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released upgrades dealing with these issues. Mozilla has reported that a pending release of Mozilla Suite 1.7.6 will be released dealing with these issues in the near future. This BID will be updated upon release.

Please see the referenced advisories for further information.


Mozilla Firefox 0.10

Mozilla Firefox 0.10.1

Mozilla Thunderbird 0.6

Mozilla Thunderbird 0.7

Mozilla Thunderbird 0.7.1

Mozilla Thunderbird 0.7.2

Mozilla Thunderbird 0.7.3

Mozilla Firefox 0.8

Mozilla Thunderbird 0.8

Mozilla Firefox 0.9

Mozilla Thunderbird 0.9

Mozilla Firefox 0.9 rc

Mozilla Firefox 0.9.1

Mozilla Firefox 0.9.2

Mozilla Firefox 0.9.3

Mozilla Firefox 1.0

Mozilla Thunderbird 1.0

Mozilla Browser 1.7

Mozilla Browser 1.7.1

Mozilla Browser 1.7.2

Mozilla Browser 1.7.3

Mozilla Browser 1.7.4

Mozilla Browser 1.7.5

S.u.S.E. Linux Professional 10.0

Netscape Netscape 7.0

Netscape Netscape 7.1

Netscape Netscape 7.2

S.u.S.E. Linux Professional 9.1

S.u.S.E. Linux Professional 9.2

S.u.S.E. Linux Professional 9.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站