- Issued:
- 2005-03-01
- Updated:
- 2005-03-01
RHSA-2005:176 - Security Advisory
Synopsis
firefox security update
Type/Severity
Security Advisory: Critical
Topic
Updated firefox packages that fix various bugs are now available.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.
Description
Mozilla Firefox is an open source Web browser.
A bug was found in the Firefox string handling functions. If a malicious
website is able to exhaust a system's memory, it becomes possible to
execute arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-0255 to this issue.
A bug was found in the way Firefox handles pop-up windows. It is possible
for a malicious website to control the content in an unrelated site's
pop-up window. (CAN-2004-1156)
A bug was found in the way Firefox allows plug-ins to load privileged
content into a frame. It is possible that a malicious webpage could trick a
user into clicking in certain places to modify configuration settings or
execute arbitrary code. (CAN-2005-0232 and CAN-2005-0527).
A flaw was found in the way Firefox displays international domain names. It
is possible for an attacker to display a valid URL, tricking the user into
thinking they are viewing a legitimate webpage when they are not.
(CAN-2005-0233)
A bug was found in the way Firefox handles plug-in temporary files. A
malicious local user could create a symlink to a victims directory, causing
it to be deleted when the victim exits Firefox. (CAN-2005-0578)
A bug has been found in one of Firefox's UTF-8 converters. It may be
possible for an attacker to supply a specially crafted UTF-8 string to the
buggy converter, leading to arbitrary code execution. (CAN-2005-0592)
A bug was found in the Firefox javascript security manager. If a user drags
a malicious link to a tab, the javascript security manager is bypassed
which could result in remote code execution or information disclosure.
(CAN-2005-0231)
A bug was found in the way Firefox displays the HTTP authentication prompt.
When a user is prompted for authentication, the dialog window is displayed
over the active tab, regardless of the tab that caused the pop-up to appear
and could trick a user into entering their username and password for a
trusted site. (CAN-2005-0584)
A bug was found in the way Firefox displays the save file dialog. It is
possible for a malicious webserver to spoof the Content-Disposition header,
tricking the user into thinking they are downloading a different filetype.
(CAN-2005-0586)
A bug was found in the way Firefox handles users "down-arrow" through auto
completed choices. When an autocomplete choice is selected, the information
is copied into the input control, possibly allowing a malicious web site to
steal information by tricking a user into arrowing through autocompletion
choices. (CAN-2005-0589)
Several bugs were found in the way Firefox displays the secure site icon.
It is possible that a malicious website could display the secure site icon
along with incorrect certificate information. (CAN-2005-0593)
A bug was found in the way Firefox displays the download dialog window. A
malicious site can obfuscate the content displayed in the source field,
tricking a user into thinking they are downloading content from a trusted
source. (CAN-2005-0585)
A bug was found in the way Firefox handles xsl:include and xsl:import
directives. It is possible for a malicious website to import XSLT
stylesheets from a domain behind a firewall, leaking information to an
attacker. (CAN-2005-0588)
A bug was found in the way Firefox displays the installation confirmation
dialog. An attacker could add a long user:pass before the true hostname,
tricking a user into thinking they were installing content from a trusted
source. (CAN-2005-0590)
A bug was found in the way Firefox displays download and security dialogs.
An attacker could cover up part of a dialog window tricking the user into
clicking "Allow" or "Open", which could potentially lead to arbitrary code
execution. (CAN-2005-0591)
Users of Firefox are advised to upgrade to this updated package which
contains Firefox version 1.0.1 and is not vulnerable to these issues.
Solution
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied. Use Red Hat
Network to download and update your packages. To launch the Red Hat
Update Agent, use the following command:
up2date
For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:
http://www.redhat.com/docs/manuals/enterprise/
Affected Products
- Red Hat Enterprise Linux Server 4 x86_64
- Red Hat Enterprise Linux Server 4 ia64
- Red Hat Enterprise Linux Server 4 i386
- Red Hat Enterprise Linux Workstation 4 x86_64
- Red Hat Enterprise Linux Workstation 4 ia64
- Red Hat Enterprise Linux Workstation 4 i386
- Red Hat Enterprise Linux Desktop 4 x86_64
- Red Hat Enterprise Linux Desktop 4 i386
- Red Hat Enterprise Linux for IBM z Systems 4 s390x
- Red Hat Enterprise Linux for IBM z Systems 4 s390
- Red Hat Enterprise Linux for Power, big endian 4 ppc
Fixes
- BZ - 142506 - CAN-2004-1156 Frame injection vulnerability.
- BZ - 144216 - CAN-2005-0585 download dialog URL spoofing
- BZ - 147402 - CAN-2005-0233 homograph spoofing
- BZ - 147727 - CAN-2005-0232 fireflashing vulnerability (CAN-2005-0527)
- BZ - 147735 - CAN-2005-0231 firefox javascript tab security bypass
- BZ - 149876 - CAN-2005-0255 Memory overwrite in string library
- BZ - 149923 - CAN-2005-0578 Unsafe /tmp/plugtmp directory exploitable to erase user's files
- BZ - 149929 - CAN-2005-0584 HTTP auth prompt tab spoofing
- BZ - 149930 - CAN-2005-0586 Download dialog spoofing using Content-Disposition header
- BZ - 149931 - CAN-2005-0588 XSLT can include stylesheets from arbitrary hosts
- BZ - 149934 - CAN-2005-0589 Autocomplete data leak
- BZ - 149936 - CAN-2005-0590 Install source spoofing with user:pass@host
- BZ - 149937 - CAN-2005-0591 Spoofing download and security dialogs with overlapping windows
- BZ - 149938 - CAN-2005-0592 Heap overflow possible in UTF8 to Unicode conversion
- BZ - 149939 - CAN-2005-0593 SSL "secure site" indicator spoofing
CVEs
- CVE-2004-1156
- CVE-2005-0231
- CVE-2005-0232
- CVE-2005-0233
- CVE-2005-0527
- CVE-2005-0578
- CVE-2005-0584
- CVE-2005-0585
- CVE-2005-0586
- CVE-2005-0588
- CVE-2005-0590
- CVE-2005-0591
- CVE-2005-0593
- CVE-2005-0255
- CVE-2005-0589
- CVE-2005-0592
References
Red Hat Enterprise Linux Server 4
| SRPM | |
|---|---|
| firefox-1.0.1-1.4.3.src.rpm | SHA-256: 7b9a6875a2fc71e95164bcaadc8633df168b4b589cac788b0f2dc549d2b8a620 |
| x86_64 | |
| firefox-1.0.1-1.4.3.x86_64.rpm | SHA-256: a8f7c22c0410fc9071c08e2b091d232036f4177f03aa174aada37a309e402ce7 |
| firefox-1.0.1-1.4.3.x86_64.rpm | SHA-256: a8f7c22c0410fc9071c08e2b091d232036f4177f03aa174aada37a309e402ce7 |
| ia64 | |
| firefox-1.0.1-1.4.3.ia64.rpm | SHA-256: efa8607b6e28e00b9cd876bf4a17302ac293f3f5d5590a71269e6a4bfcb8cc9f |
| firefox-1.0.1-1.4.3.ia64.rpm | SHA-256: efa8607b6e28e00b9cd876bf4a17302ac293f3f5d5590a71269e6a4bfcb8cc9f |
| i386 | |
| firefox-1.0.1-1.4.3.i386.rpm | SHA-256: 0953eaa71649adf5b3f1c501e4a667854b4952563465fb68ea4a750b04447894 |
| firefox-1.0.1-1.4.3.i386.rpm | SHA-256: 0953eaa71649adf5b3f1c501e4a667854b4952563465fb68ea4a750b04447894 |
Red Hat Enterprise Linux Workstation 4
| SRPM | |
|---|---|
| firefox-1.0.1-1.4.3.src.rpm | SHA-256: 7b9a6875a2fc71e95164bcaadc8633df168b4b589cac788b0f2dc549d2b8a620 |
| x86_64 | |
| firefox-1.0.1-1.4.3.x86_64.rpm | SHA-256: a8f7c22c0410fc9071c08e2b091d232036f4177f03aa174aada37a309e402ce7 |
| ia64 | |
| firefox-1.0.1-1.4.3.ia64.rpm | SHA-256: efa8607b6e28e00b9cd876bf4a17302ac293f3f5d5590a71269e6a4bfcb8cc9f |
| i386 | |
| firefox-1.0.1-1.4.3.i386.rpm | SHA-256: 0953eaa71649adf5b3f1c501e4a667854b4952563465fb68ea4a750b04447894 |
Red Hat Enterprise Linux Desktop 4
| SRPM | |
|---|---|
| firefox-1.0.1-1.4.3.src.rpm | SHA-256: 7b9a6875a2fc71e95164bcaadc8633df168b4b589cac788b0f2dc549d2b8a620 |
| x86_64 | |
| firefox-1.0.1-1.4.3.x86_64.rpm | SHA-256: a8f7c22c0410fc9071c08e2b091d232036f4177f03aa174aada37a309e402ce7 |
| i386 | |
| firefox-1.0.1-1.4.3.i386.rpm | SHA-256: 0953eaa71649adf5b3f1c501e4a667854b4952563465fb68ea4a750b04447894 |
Red Hat Enterprise Linux for IBM z Systems 4
| SRPM | |
|---|---|
| firefox-1.0.1-1.4.3.src.rpm | SHA-256: 7b9a6875a2fc71e95164bcaadc8633df168b4b589cac788b0f2dc549d2b8a620 |
| s390x | |
| firefox-1.0.1-1.4.3.s390x.rpm | SHA-256: 99d8c9a9f05f3b2727148f821e16eeb254c541bfe9869804728c861d4c2e7475 |
| s390 | |
| firefox-1.0.1-1.4.3.s390.rpm | SHA-256: 2a0fe5e0d81b7b9957e05321f26d87ef4c9180cbf660884a4ac5f050c4dab309 |
Red Hat Enterprise Linux for Power, big endian 4
| SRPM | |
|---|---|
| firefox-1.0.1-1.4.3.src.rpm | SHA-256: 7b9a6875a2fc71e95164bcaadc8633df168b4b589cac788b0f2dc549d2b8a620 |
| ppc | |
| firefox-1.0.1-1.4.3.ppc.rpm | SHA-256: 8ee21c6ad2b80dd4fb62cf6795b4f0cebc5bcf9747c044184ce572155e3c8898 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.