Debian Bug report logs - #327366
[CAN-2005-2871] IDN buffer overflow [MFSA 2005-57]

version graph

Package: mozilla; Maintainer for mozilla is (unknown);

Reported by: Sam Morris <sam@robots.org.uk>

Date: Fri, 9 Sep 2005 16:03:02 UTC

Severity: critical

Tags: fixed, fixed-upstream, patch, security, upstream

Merged with 327455

Found in version mozilla/2:1.7.8-1sarge2

Fixed in version 2:1.7.12-1

Done: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jordi Mallach <jordi@debian.org>:
Bug#327366; Package epiphany-browser. Full text and rfc822 format available.

Acknowledgement sent to Sam Morris <sam@robots.org.uk>:
New Bug report received and forwarded. Copy sent to Jordi Mallach <jordi@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Sam Morris <sam@robots.org.uk>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow?
Date: Fri, 09 Sep 2005 16:50:30 +0100
Package: epiphany-browser
Version: 1.6.5-1
Severity: grave
Tags: security
Justification: user security hole

>From <http://lwn.net/Articles/150999/>:

A buffer overflow vulnerability exists within Firefox version 1.0.6 and 
all other prior versions which allows for an attacker to remotely execute 
arbitrary code on an affected host.

The problem seems to be when a hostname which has all dashes causes the 
NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, 
but is sets encHost to an empty string.

On my system, attempting to load the example URL causes Epiphany to freeze:
<http://www.security-protocols.com/firefox-death.html>

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (530, 'testing'), (520, 'unstable'), (510, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages epiphany-browser depends on:
ii  dbus-1                 0.23.4-1          simple interprocess messaging syst
ii  dbus-glib-1            0.23.4-1          simple interprocess messaging syst
ii  debconf                1.4.30.13         Debian configuration management sy
ii  gconf2                 2.10.1-1          GNOME configuration database syste
ii  gnome-icon-theme       2.10.1-2          GNOME Desktop icon theme
ii  iso-codes              0.44-1            ISO language, territory, currency 
ii  libart-2.0-2           2.3.17-1          Library of functions for 2D graphi
ii  libatk1.0-0            1.10.1-2          The ATK accessibility toolkit
ii  libbonobo2-0           2.8.1-2           Bonobo CORBA interfaces library
ii  libbonoboui2-0         2.10.0-1          The Bonobo UI library
ii  libc6                  2.3.5-6           GNU C Library: Shared libraries an
ii  libgcc1                1:4.0.1-6         GCC support library
ii  libgconf2-4            2.10.1-1          GNOME configuration database syste
ii  libglade2-0            1:2.5.1-2         library to load .glade files at ru
ii  libglib2.0-0           2.8.0-1           The GLib library of C routines
ii  libgnome-desktop-2     2.10.2-1          Utility library for loading .deskt
ii  libgnome2-0            2.10.1-1          The GNOME 2 library - runtime file
ii  libgnomecanvas2-0      2.10.2-2          A powerful object-oriented display
ii  libgnomeui-0           2.10.1-1          The GNOME 2 libraries (User Interf
ii  libgnomevfs2-0         2.10.1-5          The GNOME virtual file-system libr
ii  libgtk2.0-0            2.6.10-1          The GTK+ graphical user interface 
ii  libice6                4.3.0.dfsg.1-14   Inter-Client Exchange library
ii  liborbit2              1:2.12.2-1        libraries for ORBit2 - a CORBA ORB
ii  libpango1.0-0          1.8.2-1           Layout and rendering of internatio
ii  libpopt0               1.7-5             lib for parsing cmdline parameters
ii  libsm6                 4.3.0.dfsg.1-14   X Window System Session Management
ii  libstartup-notificatio 0.8-1             library for program launch feedbac
ii  libstdc++5             1:3.3.5-13        The GNU Standard C++ Library v3
ii  libx11-6               4.3.0.dfsg.1-14   X Window System protocol client li
ii  libxml2                2.6.20-1          GNOME XML library
ii  libxslt1.1             1.1.14-1          XSLT processing library - runtime 
ii  mozilla-browser        2:1.7.8-1sarge1   The Mozilla Internet application s
ii  mozilla-psm            2:1.7.8-1sarge1   The Mozilla Internet application s
ii  xlibs                  4.3.0.dfsg.1-14   X Keyboard Extension (XKB) configu
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - runtime

-- no debconf information



Bug reassigned from package `epiphany-browser' to `mozilla'. Request was from Jordi Mallach <jordi@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#327366; Package mozilla. Full text and rfc822 format available.

Acknowledgement sent to Loïc Minier <lool@dooz.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #12 received at 327366@bugs.debian.org (full text, mbox):

From: Loïc Minier <lool@dooz.org>
To: Sam Morris <sam@robots.org.uk>, 327366@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#327366: epiphany-browser: Susceptible to mozilla-firefox "Host:" buffer overflow?
Date: Mon, 26 Sep 2005 10:53:07 +0200
tags 327366 + upstream fixed-upstream patch
severity 327366 critical
merge 327366 327455
retitle 327366 [CAN-2005-2871] IDN buffer overflow [MFSA 2005-57]
thanks

        Hi,

On Fri, Sep 09, 2005, Sam Morris wrote:
> A buffer overflow vulnerability exists within Firefox version 1.0.6 and 
> all other prior versions which allows for an attacker to remotely execute 
> arbitrary code on an affected host.

 When reporting bugs against Epiphany or Galeon, please check whether
 Mozilla, their engine, is affected.  In the future, the engine of these
 browsers might switch from Mozilla to Firefox though.

> The problem seems to be when a hostname which has all dashes causes the 
> NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, 
> but is sets encHost to an empty string.

 This is "fixed" in Mozilla 1.7.12 by disabling IDN and/or installing a
 patch as explained at:
    <https://addons.mozilla.org/messages/307259.html>

   Bye,

-- 
Loïc Minier <lool@dooz.org>



Tags added: upstream, fixed-upstream, patch Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `critical'. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 327366 327455. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Loïc Minier <lool@dooz.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Alexander Sack <asac@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 2:1.7.12-1, send any further explanations to Sam Morris <sam@robots.org.uk> Request was from "Adam D. Barratt" <debian-bts@adam-barratt.org.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Sam Morris <sam@robots.org.uk>:
Bug#327366. Full text and rfc822 format available.

Message #33 received at 327366-submitter@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
To: 271427-submitter@bugs.debian.org, 314698-submitter@bugs.debian.org, 325635-submitter@bugs.debian.org, 328017-submitter@bugs.debian.org, 320115-submitter@bugs.debian.org, 320284-submitter@bugs.debian.org, 320899-submitter@bugs.debian.org, 327078-submitter@bugs.debian.org, 327349-submitter@bugs.debian.org, 320903-submitter@bugs.debian.org, 327946-submitter@bugs.debian.org, 320941-submitter@bugs.debian.org, 321126-submitter@bugs.debian.org, 321545-submitter@bugs.debian.org, 341341-submitter@bugs.debian.org, 321553-submitter@bugs.debian.org, 321644-submitter@bugs.debian.org, 346013-submitter@bugs.debian.org, 321816-submitter@bugs.debian.org, 321967-submitter@bugs.debian.org, 330024-submitter@bugs.debian.org, 321998-submitter@bugs.debian.org, 322583-submitter@bugs.debian.org, 322853-submitter@bugs.debian.org, 356739-submitter@bugs.debian.org, 322961-submitter@bugs.debian.org, 322972-submitter@bugs.debian.org, 323084-submitter@bugs.debian.org, 323160-submitter@bugs.debian.org, 323355-submitter@bugs.debian.org, 323725-submitter@bugs.debian.org, 323942-submitter@bugs.debian.org, 324371-submitter@bugs.debian.org, 324553-submitter@bugs.debian.org, 324558-submitter@bugs.debian.org, 324579-submitter@bugs.debian.org, 324606-submitter@bugs.debian.org, 324908-submitter@bugs.debian.org, 325210-submitter@bugs.debian.org, 325490-submitter@bugs.debian.org, 325514-submitter@bugs.debian.org, 326468-submitter@bugs.debian.org, 325532-submitter@bugs.debian.org, 327366-submitter@bugs.debian.org, 329778-submitter@bugs.debian.org, 332480-submitter@bugs.debian.org, 325635-submitter@bugs.debian.org, 328017-submitter@bugs.debian.org, 325835-submitter@bugs.debian.org, 325851-submitter@bugs.debian.org, 325938-submitter@bugs.debian.org, 327930-submitter@bugs.debian.org, 326285-submitter@bugs.debian.org, 326295-submitter@bugs.debian.org, 373110-submitter@bugs.debian.org, 379331-submitter@bugs.debian.org, 379334-submitter@bugs.debian.org, 326298-submitter@bugs.debian.org, 326311-submitter@bugs.debian.org, 326355-submitter@bugs.debian.org, 326362-submitter@bugs.debian.org, 326371-submitter@bugs.debian.org, 326372-submitter@bugs.debian.org, 326378-submitter@bugs.debian.org, 326466-submitter@bugs.debian.org, 347129-submitter@bugs.debian.org, 347205-submitter@bugs.debian.org, 326489-submitter@bugs.debian.org, 326756-submitter@bugs.debian.org, 365518-submitter@bugs.debian.org, 327429-submitter@bugs.debian.org, 350429-submitter@bugs.debian.org, 327911-submitter@bugs.debian.org, 327718-submitter@bugs.debian.org, 327933-submitter@bugs.debian.org, 327936-submitter@bugs.debian.org, 327970-submitter@bugs.debian.org, 327984-submitter@bugs.debian.org, 327986-submitter@bugs.debian.org, 291328-submitter@bugs.debian.org, 327996-submitter@bugs.debian.org, 328002-submitter@bugs.debian.org, 328018-submitter@bugs.debian.org, 328039-submitter@bugs.debian.org, 328172-submitter@bugs.debian.org, 328333-submitter@bugs.debian.org, 328334-submitter@bugs.debian.org, 328335-submitter@bugs.debian.org, 328352-submitter@bugs.debian.org, 328364-submitter@bugs.debian.org, 329467-submitter@bugs.debian.org, 330446-submitter@bugs.debian.org, 333857-submitter@bugs.debian.org, 330666-submitter@bugs.debian.org, 330938-submitter@bugs.debian.org
Subject: Bugs fixed in NMU, documenting versions
Date: Sun, 22 Oct 2006 22:06:57 +0100
# Hi,
#
# These bugs were fixed in an NMU, but have not been acknowledged by the
# maintainers.  With version tracking in the Debian BTS, it is important
# to know which version of a package fixes each bug so that they can be
# tracked for release status, so I'm closing these bugs with the
#relevant version information now

close 271427 8.14+v8.11+urw-0.1
close 314698 0.35-2.1
close 325635 0.35-2.1
close 328017 0.35-2.1
close 320115 2.0-4.2
close 320284 1.11
close 320899 11.4.1870-7.1
close 327078 11.4.1870-7.1
close 327349 11.4.1870-7.1
close 320903 1:0.71-1.2
close 327946 1:0.71-1.2
close 320941 2.0.3-1.1
close 321126 2.6.3.2
close 321545 0.1.3b-1.1
close 341341 0.1.3b-1.1
close 321553 0.1.12-2.2
close 321644 2:1.7.12-1.1
close 346013 2:1.7.12-1.1
close 321816 2.61-2.1
close 321967 4.0.0-2.1
close 330024 4.0.0-2.1
close 321998 0.9.21-0.1
close 322583 0.3.8.1-4
close 322853 0.7.1-3.1
close 356739 0.7.1-3.1
close 322961 0.4.3.1.dfsg-0.1
close 322972 9.4.2-2.4
close 323084 0.4.5+cvs20030824-1.4
close 323160 0.1.10-0.1
close 323355 1.2.11-0.2
close 323725 0.18.2-10.1
close 323942 0.4.0-4.1
close 324371 4.3-18.1
close 324553 2.9.5.0.37.5.2
close 324558 1.2-release-2.1
close 324579 1.11-6.2
close 324606 1.2-release-2.2
close 324908 0.12.4-4.1
close 325210 2.6.0-1.1
close 325490 0.7.1-1.1
close 325514 0.8.6-1.1
close 326468 0.8.6-1.1
close 325532 2:1.7.12-1
close 327366 2:1.7.12-1
close 329778 2:1.7.12-1
close 332480 2:1.7.12-1
close 325635 0.35-2.1
close 328017 0.35-2.1
close 325835 0.1.12-7.1
close 325851 2:1.7.8-1sarge2
close 325938 0.9.8beta2-4.1
close 327930 0.9.8beta2-4.1
close 326285 0.99.3-5.1
close 326295 0.8.2-5.1
close 373110 0.8.2-5.1
close 379331 0.8.2-5.1
close 379334 0.8.2-5.1
close 326298 0.2.12-2.1
close 326311 0.3.5-1pre1.1
close 326355 2.1.8-2.1
close 326362 0.6-7.2
close 326371 0.90beta1-10.1
close 326372 1.0-0.1
close 326378 0.1.17-4.3
close 326466 6.3.2-2.1
close 347129 6.3.2-2.1
close 347205 6.3.2-2.1
close 326489 0.3.7-2.1
close 326756 1.0.9-1.1
close 365518 1.0.9-1.1
close 327429 1.2-1.1
close 350429 1.2-1.1
close 327911 2.3.5-1.1
close 327718 0.6.0-8.2
close 327933 0.9.2-1.1
close 327936 0.8.5-1.1
close 327970 0.5.1-2.1
close 327984 1.3-2.1
close 327986 0.2.36-4.1
close 291328 0.2.36-4.1
close 327996 1.0-1.1
close 328002 1.0.0-9.1
close 328018 2.1.3-2.1
close 328039 1.18A-2.1
close 328172 1.002-0.2
close 328333 4.1.2-1.1
close 328334 1.34-7.1
close 328335 0.8.2-2.1
close 328352 0.13-3.1
close 328364 0.4.0-test5-2.1
close 329467 1.3.1
close 330446 0.1.83
close 333857 0.1.83
close 330666 6:6.2.4.5-0.2
close 330938 0.5.1-2.2




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 22:40:06 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 14:09:44 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.