|
|
Subscribe / Log in / New account

Security

Firefox 1.0.1 and automatic updates

The Firefox 1.0.1 release was announced on February 24. As expected, this release had a fix for the IDN spoofing vulnerability which did not actually disable international domain names; instead, such names are mangled into punycode and presented to the user in that form. Various other security-related problems were also fixed in 1.0.1.

One of Firefox's features is automatic updates: the browser can phone home to find out whether an updated version has been released and, if so, offer an upgrade to the user. Many people have been surprised that the automatic update mechanism apparently did not work with 1.0.1. Instead, they had to notice some other way that a new version was available and download it themselves. Not, perhaps, the best example of how Firefox can respond to security issues.

It turns out that a couple of problems were at work here. The first is that the Mozilla Project's infrastructure simply wasn't up to trying to update millions of users at once. So the project decided to spread things out. Automatic updates were disabled entirely for a while, then they were turned on for parts of the network at a time. According to Asa Dotzler's weblog, the folks in Argentina and Andorra were the first to get their updates, followed by Russia, then, eventually, the rest of the world.

Even then, however, it turns out that only Windows users were offered updates. A bug in the automatic updater rendered it unusable for versions of Firefox running on other operating systems, so it was disabled for non-Windows users. And that is why most readers of this page, likely as not, never saw an update notification.

Now was a good time for this sort of shakedown of the Firefox update system. There were real security problems to fix, but none of them were screamingly urgent. Sooner or later, there will be a vulnerability for which a rapid update is required. Hopefully, by then, the infrastructural issues and update system glitches will have been ironed out.

Comments (8 posted)

New vulnerabilities

bsmtpd: missing input sanitizing

Package(s):bsmtpd CVE #(s):CAN-2005-0107
Created:February 25, 2005 Updated:March 2, 2005
Description: Bastian Blank found a vulnerability in bsmtpd, a batched SMTP mailer for sendmail and postfix. Unsanitized addresses can cause the execution of arbitrary commands during alleged mail delivery.
Alerts:
Debian DSA-690-1 bsmtpd 2005-02-25

Comments (none posted)

cmd5checkpw: local password leak

Package(s):cmd5checkpw CVE #(s):
Created:February 25, 2005 Updated:March 2, 2005
Description: Florian Westphal discovered that cmd5checkpw is installed setuid cmd5checkpw but does not drop privileges before calling execvp(), so the invoked program retains the cmd5checkpw euid. Local users that know at least one valid /etc/poppasswd user/password combination can read the /etc/poppasswd file.
Alerts:
Gentoo 200502-30 cmd5checkpw 2005-02-25

Comments (none posted)

cURL: buffer overflow

Package(s):curl CVE #(s):CAN-2005-0490
Created:February 28, 2005 Updated:July 19, 2005
Description: Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded.
Alerts:
Fedora-Legacy FLSA:152917 curl 2005-07-15
Fedora FEDORA-2005-325 curl 2005-04-20
Red Hat RHSA-2005:340-01 curl 2005-04-05
Conectiva CLA-2005:940 curl 2005-03-21
Gentoo 200503-20 curl 2005-03-16
Mandrake MDKSA-2005:048 curl 2005-03-04
SuSE SUSE-SA:2005:011 curl 2005-02-28
Ubuntu USN-86-1 curl 2005-02-28

Comments (none posted)

gaim: DoS issue in parsing malformed HTML

Package(s):gaim CVE #(s):CAN-2005-0208
Created:February 25, 2005 Updated:March 14, 2005
Description: Gaim has a DoS issue in parsing malformed HTML, and a MSN related crash.
Alerts:
Conectiva CLA-2005:933 gaim 2005-03-14
Red Hat RHSA-2005:215-01 gaim 2005-03-10
Mandrake MDKSA-2005:049 gaim 2005-03-04
Gentoo 200503-03 gaim 2005-03-01
Fedora FEDORA-2005-172 gaim 2005-02-25
Fedora FEDORA-2005-171 gaim 2005-02-25

Comments (none posted)

MediaWiki: multiple vulnerabilities

Package(s):mediawiki CVE #(s):CAN-2005-0534 CAN-2005-0535 CAN-2005-0536
Created:February 28, 2005 Updated:June 13, 2005
Description: A security audit of the MediaWiki project discovered that MediaWiki is vulnerable to several cross-site scripting and cross-site request forgery attacks, and that the image deletion code does not sufficiently sanitize input parameters.
Alerts:
Gentoo 200506-12 mediawiki 2005-06-13
Gentoo 200502-33 mediawiki 2005-02-28

Comments (none posted)

Mozilla and Mozilla Firefox: out of memory heap corruption

Package(s):mozilla firefox CVE #(s):CAN-2005-0255
Created:March 1, 2005 Updated:March 16, 2005
Description: According to this iDEFENSE advisory, remote exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 may allow an attacker to cause heap corruption, resulting in execution of arbitrary code.
Alerts:
SuSE SUSE-SA:2005:016 firefox 2005-03-16
Red Hat RHSA-2005:277-01 mozilla 2005-03-04
Gentoo 200503-10 mozilla-firefox 2005-03-04
Red Hat RHSA-2005:176-01 firefox 2005-03-01
Fedora FEDORA-2005-182 firefox 2005-02-26

Comments (none posted)

phpBB: multiple vulnerabilities

Package(s):phpbb CVE #(s):CAN-2005-0258 CAN-2005-0259
Created:March 1, 2005 Updated:March 2, 2005
Description: It was discovered that phpBB contains a flaw in the session handling code and a path disclosure bug. AnthraX101 discovered that phpBB allows local users to read arbitrary files, if the "Enable remote avatars" and "Enable avatar uploading" options are set (CAN-2005-0259). He also found out that incorrect input validation in "usercp_avatar.php" and "usercp_register.php" makes phpBB vulnerable to directory traversal attacks, if the "Gallery avatars" setting is enabled (CAN-2005-0258).
Alerts:
Gentoo 200503-02 phpBB 2005-03-01

Comments (none posted)

phpWebSite: arbitrary PHP execution and path disclosure

Package(s):phpwebsite CVE #(s):
Created:March 1, 2005 Updated:March 2, 2005
Description: NST discovered that, when submitting an announcement, uploaded files aren't correctly checked for malicious code. They also found out that phpWebSite is vulnerable to a path disclosure. A remote attacker can exploit this issue to upload files to a directory within the web root. By calling the uploaded script the attacker could then execute arbitrary PHP code with the rights of the web server. By passing specially crafted requests to the search module, remote attackers can also find out the full path of PHP scripts.
Alerts:
Gentoo 200503-04 phpwebsite 2005-03-01

Comments (none posted)

Qt: untrusted library search path

Package(s):qt CVE #(s):
Created:March 1, 2005 Updated:March 2, 2005
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team has discovered that Qt searches for shared libraries in an untrusted, world-writable directory. A local attacker could create a malicious shared object that would be loaded by Qt, resulting in the execution of arbitrary code with the privileges of the Qt application.
Alerts:
Gentoo 200503-01 qt 2005-03-01

Comments (none posted)

reportbug: world readable files

Package(s):reportbug CVE #(s):
Created:February 28, 2005 Updated:March 2, 2005
Description: The per-user configuration file ~/.reportbugrc was created world-readable. If it contained email smarthost passwords, these were readable by any other user on the computer storing the home directory. If users have ~/.reportbugrc files with SMTP passwords, the permissions should be manually changed:   chmod 600 .reportbugrc
Alerts:
Ubuntu USN-88-1 reportbug 2005-02-28

Comments (none posted)

uim: local privilege escalation

Package(s):uim CVE #(s):CAN-2005-0503
Created:February 24, 2005 Updated:March 2, 2005
Description: uim has a problem in which environment variables can be used by a local attacker to elevate their privileges.
Alerts:
Gentoo 200502-31 uim 2005-02-28
Mandrake MDKSA-2005:046 uim 2005-02-24

Comments (none posted)

UnAce: buffer overflow and directory traversal

Package(s):unace CVE #(s):CAN-2005-0160 CAN-2005-0161
Created:February 28, 2005 Updated:June 17, 2005
Description: Ulf Harnhammar discovered that UnAce suffers from buffer overflows when testing, unpacking or listing specially crafted ACE archives (CAN-2005-0160). He also found out that UnAce is vulnerable to directory traversal attacks, if an archive contains "./.." sequences or absolute filenames (CAN-2005-0161).
Alerts:
SuSE SUSE-SR:2005:016 multi 2005-06-17
Gentoo 200502-32 unace 2005-02-28

Comments (none posted)

xloadimage, xli: buffer overflows

Package(s):xli, xloadimage CVE #(s):CAN-2001-0775
Created:March 2, 2005 Updated:March 2, 2005
Description: The xloadimage and xli utilities contain a flaw in their compressed image handling which can lead to a buffer overflow and code execution.
Alerts:
Gentoo 200503-05 xli 2005-03-02

Comments (none posted)

Events

WORM 2005

The third Workshop on Rapid Malcode is happening on November 11 in Fairfax, FA. The call for papers is out; submissions are due by June 23.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds