lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040915151638.202c31d0.gael.delalleau+moz@m4x.org>
From: gael.delalleau+moz at m4x.org (Gaƫl Delalleau)
Subject: New Mozilla, Firefox and Thunderbird releases fix critical security
 issues

(This is not an official Mozilla advisory. My goal here is to bring
awareness about these issues to the users of Mozilla-based products, and
to provide some links to more detailed technical information about the
security bugs I found.)


Overview
--------

Firefox Preview Release, Thunderbird 0.8, and Mozilla 1.7.3 are
available for download at www.mozilla.org since Sept 13 and 14. These
releases fix 7 critical security issues, detailed on the "Known
Vulnerabilities in Mozilla" page:
http://www.mozilla.org/projects/security/known-vulnerabilities.html

Three of these issues are rated at maximum level "Severity: Critical"
and "Risk: High":

* Non-ascii hostname heap overrun (reported by Mats Palmgren, Ga?l
  Delalleau)
   A link with a non-ascii hostname can cause a heap buffer overrun that
   could potentially be exploited to run arbitrary code.

* BMP integer overflow (reported by Ga?l Delalleau)
   Extremely wide BMP images trigger an integer overflow, leading to
   heap overruns that are potentially exploitable to run arbitrary code.

* Buffer overflow when displaying VCard (reported by Georgi Guninski)
   A stack buffer overrun in VCard display routines could be exploited
   to run arbitrary code supplied by the attacker.


Technical information about the security bugs I reported
--------------------------------------------------------

These are some links to my original source code audit reports. I audited
parts of the Mozilla 1.7.2 C++ source code tree during my free time, in
an attempt to promote and participate to the Mozilla Security Bug Bounty
Program.

* Arbitrary code execution while parsing a malformed .BMP image
http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt

* Out of bounds writes in the POP3 protocol handler allows for arbitrary
code execution
http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt

* Non-ascii hostname heap overrun
http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt



Other products at risk?
-----------------------

Although not 100% verified, it is very likely some of these critical
security bugs are also exploitable in other products based on Mozilla,
like Netscape 7 and Galeon.

Users of such products should ask vendors for a patch, and meanwhile
apply the workarounds described on the "Known Vulnerabilities in
Mozilla" page.



Ga?l Delalleau

Zencom Secure Solutions 
71 avenue d'Italie
75013 PARIS - FRANCE


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ