| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040915151551.3be150a9.gael.delalleau+moz@m4x.org> Date: Wed, 15 Sep 2004 15:15:51 +0200 From: Gaël Delalleau <gael.delalleau+moz@....org> To: bugtraq@...urityfocus.com Subject: New Mozilla, Firefox and Thunderbird releases fix critical security issues (This is not an official Mozilla advisory. My goal here is to bring awareness about these issues to the users of Mozilla-based products, and to provide some links to more detailed technical information about the security bugs I found.) Overview -------- Firefox Preview Release, Thunderbird 0.8, and Mozilla 1.7.3 are available for download at www.mozilla.org since Sept 13 and 14. These releases fix 7 critical security issues, detailed on the "Known Vulnerabilities in Mozilla" page: http://www.mozilla.org/projects/security/known-vulnerabilities.html Three of these issues are rated at maximum level "Severity: Critical" and "Risk: High": * Non-ascii hostname heap overrun (reported by Mats Palmgren, Gaël Delalleau) A link with a non-ascii hostname can cause a heap buffer overrun that could potentially be exploited to run arbitrary code. * BMP integer overflow (reported by Gaël Delalleau) Extremely wide BMP images trigger an integer overflow, leading to heap overruns that are potentially exploitable to run arbitrary code. * Buffer overflow when displaying VCard (reported by Georgi Guninski) A stack buffer overrun in VCard display routines could be exploited to run arbitrary code supplied by the attacker. Technical information about the security bugs I reported -------------------------------------------------------- These are some links to my original source code audit reports. I audited parts of the Mozilla 1.7.2 C++ source code tree during my free time, in an attempt to promote and participate to the Mozilla Security Bug Bounty Program. * Arbitrary code execution while parsing a malformed .BMP image http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt * Out of bounds writes in the POP3 protocol handler allows for arbitrary code execution http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt * Non-ascii hostname heap overrun http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt Other products at risk? ----------------------- Although not 100% verified, it is very likely some of these critical security bugs are also exploitable in other products based on Mozilla, like Netscape 7 and Galeon. Users of such products should ask vendors for a patch, and meanwhile apply the workarounds described on the "Known Vulnerabilities in Mozilla" page. Gaël Delalleau Zencom Secure Solutions 71 avenue d'Italie 75013 PARIS - FRANCE
Powered by blists - more mailing lists