Remote vulnerability in Mozilla 1.0
From: Tom <tom@lemuria.org> To: bugtraq@securityfocus.com Subject: remote DoS in Mozilla 1.0 Date: Mon, 10 Jun 2002 10:20:06 +0200 Author ====== Tom Vogt <tom@lemuria.org> http://web.lemuria.org/ Affected ======== Mozilla 1.0 and earlier verified on Linux and Solaris, other Unixes most likely affected as well. Effect ====== System becomes unuseable or X windows crashes (varies depending on system configuration) Description =========== When loading pages with a specially prepared (or erroneous) stylesheet, mozilla and X windows (not restricted to XFree) exhibit any of two undesireable behaviours. This seems to depend on the local system configuration, especially to the presence of xfs, but bug reports so far are inconclusive. In one scenario, X simply crashes, taking everything with it. This will result in the loss of unsaved work. In scenario two, memory useage of the X server explodes until the machine reaches the thrashing point, at which point only a hard kill (-9) of the X server can save it, provided there are enough system resources left to issue the kill. Some systems see no crash, but random misbehaviour of X components that often require a shutdown of the X server to fix. See the follow ups in bugzilla for a full description of these various behaviours. The bug is triggered by a huge font setting done through CSS. Depending on the end user's system configuration, this will either trigger an abort in the XFree86 code ("Beziers this large not supported") or cause an explosive use of memory. It is unknown how much memory could get consumed, but follow-ups to the mozilla bug verify that machines with 1 GB of memory still reach the thrashing point. Example ======= Include a huge font size in your style sheet definition, e.g.: body { font-size: 1666666px; } http://www.adeliesolutions.com/Projects/ http://bugzilla.mozilla.org/attachment.cgi?id=87009&action=view Vendor Contact ============== filed as mozilla bug #150339 http://bugzilla.mozilla.org/show_bug.cgi?id=150339 Mozilla team scrambled immediately also filed with the XFree86 team, no reaction so far Solution/Patches ================ No patches have been issued so far, though the mozilla team appears to be at work and a patch should be available soon. Another solution would be turning off stylesheets. Mozilla does not have an option for doing so in the preferences dialog, so this must be done either in the preferences file manually, or by editing the source code. I have not reviewed this option further. Unchecking the "allow documents to use other fonts" button in preferences does NOT provide a workaround. Author Statement ================ Aside from the fact that I don't believe in "responsible disclosure", this is already public knowledge through bugzilla. Kudos to the mozilla team for prompt and competent reactions. -- New GPG Key issued (old key expired): http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
Posted Jun 13, 2002 6:40 UTC (Thu)
by jamesh (guest, #1159)
[Link] (1 responses)
Posted Jun 13, 2002 12:40 UTC (Thu)
by jamesh (guest, #1159)
[Link]
Posted Jun 13, 2002 15:08 UTC (Thu)
by Baylink (guest, #755)
[Link]
1) Is this really limited to Moz 1.0? Does it not happen in earlier versions, or in Netscape or Konq, etc? 2) When *fixing* things like this, remember that "sanity" is not the same thing to everyone. I've spent some time doing TV graphics design, and often, you *want* a character twice the height of your screen -- it makes a great design element.
Yet another good reason to use Xft and client side fonts ...
Xft
Just checked again, and no crashes or even heavy swapping when using mozilla with Xft support turned on.
Xft
There are two points that I made in a BugTraq folo that the moderators saw fit to can without comment:Remote vulnerability in Mozilla 1.0