Brief items
September 14, 2005
This article was contributed by Jake Edge.
Tom Ferris
announced
a potentially exploitable buffer overflow in Firefox this week and the
discussion surrounding the flaw has focused on the nature of the
announcement more than the bug itself. Advocates of full disclosure
and those opposed to it have clashed on various internet sites.
The bug is in the handling of international domain names (IDN) and
the proof of concept released by Ferris is
a specially crafted URL that will cause Firefox 1.0.6 and earlier to crash.
Unlike other similar bugs, the user does not need to actually follow
the link, just parsing the URL in the page will cause Firefox to crash.
It is not yet known whether a malicious person can exploit this
to execute arbitrary code on the host but Ferris claims that it can be
done
in his bug
report.
A workaround
that disables IDN parsing was quickly released by the Mozilla team, and
both Red Hat and Fedora released
updates to fix the
buffer overflow.
Complaints have been heard about the amount of time Ferris gave to
the Mozilla team to fix the problem before he announced the flaw on
the full-disclosure mailing list. His report states that he reported
the problem on September 4, but the entry in bugzilla was made on
September 6. He disclosed the problem on September 8 before a fix was
available and many people find that to be irresponsible.
Full disclosure is a contentious issue and many people argue that security
flaws should be reported to the author of the software, and that they should
be given a 'reasonable' amount of time to investigate and fix the problem
before it is announced to the world. The presumption is that the delay
reduces or eliminates the possibility of an exploit being crafted while
the program is vulnerable. The proponents of disclosure point out that
it is quite possible that other people, possibly having bad intentions,
know about the flaw already and
are working on exploits or have already deployed them. Even if there is
no known exploit 'in the wild', security conscious users may wish to
stop using the affected program until it can be fixed, and without disclosure
they do not have the information necessary to take that step.
An additional complication arises
because Firefox has been touted as a more secure alternative to Internet
Explorer and many less than technically savvy people have installed it.
These users do not tend to frequent LWN or other sites that
report on security issues and, unfortunately, are likely to ignore
the problem even if they do find out about it. This problem is not
unique to Firefox, of course, nor to free software in general, but as
free software extends its reach, it is a problem that needs to be
addressed. A widespread exploit in a free software package, even if
the vulnerability has already been fixed, will provide the competition
with ample opportunities to suggest that all free software is insecure.
Comments (32 posted)
New vulnerabilities
common-lisp-controller: design error
| Package(s): | common-lisp-controller |
CVE #(s): | CAN-2005-2657
|
| Created: | September 14, 2005 |
Updated: | November 21, 2005 |
| Description: |
François-René Rideau discovered a bug in common-lisp-controller, a
Common Lisp source and compiler manager, that allows a local user to
compile malicious code into a cache directory which is executed by
another user if that user has not used Common Lisp before.
|
| Alerts: |
| Debian |
DSA-811-2 |
common-lisp-controller |
2005-11-21 |
| Debian |
DSA-811-1 |
common-lisp-controller |
2005-09-14 |
|
Comments (none posted)
mozilla: buffer overflow
| Package(s): | mozilla |
CVE #(s): | CAN-2005-2871
|
| Created: | September 12, 2005 |
Updated: | October 20, 2005 |
| Description: |
The Mozilla browser, Firefox and Thunderbird have a buffer overflow
vulnerability. A local user can be tricked into clicking URL that
can cause the local application to crash, and possibly execute arbitrary
code. See this article
for more information. |
| Alerts: |
|
Comments (none posted)
mysql: buffer overflow
| Package(s): | mysql |
CVE #(s): | CAN-2005-2558
|
| Created: | September 12, 2005 |
Updated: | January 12, 2006 |
| Description: |
The mysql CREATE FUNCTION can be used to create a buffer overflow.
A specially crafted long function name can be used by a local attacker
to crash the server or execute arbitrary code with the privileges of
the server. |
| Alerts: |
|
Comments (none posted)
tdiary: cross-site request forgery
| Package(s): | tdiary |
CVE #(s): | CAN-2005-2411
|
| Created: | September 12, 2005 |
Updated: | September 13, 2005 |
| Description: |
The tdiary web log utility has a cross-site request forgery
that can be used by remote attackers to alter a user's local
information. |
| Alerts: |
|
Comments (none posted)
util-linux: unintentional grant of privileges by umount
| Package(s): | util-linux |
CVE #(s): | CAN-2005-2876
|
| Created: | September 13, 2005 |
Updated: | December 19, 2005 |
| Description: |
Linux umount command as provided in the util-linux package in
versions 2.8 to 2.12q, 2.13-pre1 and 2.13-pre2 grants root privileges. See this BugTraq post for more information. |
| Alerts: |
|
Comments (none posted)
xorg-x11: heap overflow
| Package(s): | xorg-x11 |
CVE #(s): | CAN-2005-2495
|
| Created: | September 12, 2005 |
Updated: | March 8, 2006 |
| Description: |
The pixmap memory allocation code in the X.Org X window system is
vulnerable to an integer overflow, a local user can use this to
execute arbitrary code with elevated privileges. |
| Alerts: |
|
Comments (none posted)
Resources
Mozilla.org has announced
a simple workaround that closes the Firefox International Domain
Name (IDN) security vulnerability.
"
On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user.
"
Comments (9 posted)
Page editor: Rebecca Sobol
Next page:
Kernel development>>
