Mozilla products: Multiple vulnerabilities

2007-08-1400:00:00

Gentoo Foundation

security.gentoo.org

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.962 High

EPSS

Percentile

99.5%

JSON

Background

Mozilla Firefox is an open-source web browser from the Mozilla Project, and Mozilla Thunderbird an email client. The SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as the ‘Mozilla Application Suite’. XULRunner is a Mozilla runtime package that can be used to bootstrap XUL+XPCOM applications like Firefox and Thunderbird.

Description

Mozilla developers fixed several bugs, including an issue with modifying XPCNativeWrappers (CVE-2007-3738), a problem with event handlers executing elements outside of the document (CVE-2007-3737), and a cross-site scripting (XSS) vulnerability (CVE-2007-3736). They also fixed a problem with promiscuous IFRAME access (CVE-2007-3089) and an XULRunner URL spoofing issue with the wyciwyg:// URI and HTTP 302 redirects (CVE-2007-3656). Denials of Service involving corrupted memory were fixed in the browser engine (CVE-2007-3734) and the JavaScript engine (CVE-2007-3735). Finally, another XSS vulnerability caused by a regression in the CVE-2007-3089 patch was fixed (CVE-2007-3844).

Impact

A remote attacker could entice a user to view a specially crafted web page that will trigger one of the vulnerabilities, possibly leading to the execution of arbitrary code or a Denial of Service. It is also possible for an attacker to perform cross-site scripting attacks, which could result in the exposure of sensitive information such as login credentials.

Workaround

There is no known workaround at this time.

Resolution

All Mozilla Firefox users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-client/mozilla-firefox-2.0.0.6"

All Mozilla Firefox binary users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-client/mozilla-firefox-bin-2.0.0.6"

All Mozilla Thunderbird users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=mail-client/mozilla-thunderbird-2.0.0.6"

All Mozilla Thunderbird binary users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=mail-client/mozilla-thunderbird-bin-2.0.0.6"

All SeaMonkey users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-client/seamonkey-1.1.4"

All SeaMonkey binary users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=www-client/seamonkey-bin-1.1.4"

All XULRunner users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=net-libs/xulrunner-1.8.1.6"

OSVersionArchitecturePackageVersionFilename
Gentooanyallwww-client/mozilla-firefox< 2.0.0.6UNKNOWN
Gentooanyallwww-client/mozilla-firefox-bin< 2.0.0.6UNKNOWN
Gentooanyallmail-client/mozilla-thunderbird< 2.0.0.6UNKNOWN
Gentooanyallmail-client/mozilla-thunderbird-bin< 2.0.0.6UNKNOWN
Gentooanyallwww-client/seamonkey< 1.1.4UNKNOWN
Gentooanyallwww-client/seamonkey-bin< 1.1.4UNKNOWN
Gentooanyallnet-libs/xulrunner< 1.8.1.6UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Gentoo	any	all	www-client/mozilla-firefox	< 2.0.0.6	UNKNOWN
Gentoo	any	all	www-client/mozilla-firefox-bin	< 2.0.0.6	UNKNOWN
Gentoo	any	all	mail-client/mozilla-thunderbird	< 2.0.0.6	UNKNOWN
Gentoo	any	all	mail-client/mozilla-thunderbird-bin	< 2.0.0.6	UNKNOWN
Gentoo	any	all	www-client/seamonkey	< 1.1.4	UNKNOWN
Gentoo	any	all	www-client/seamonkey-bin	< 1.1.4	UNKNOWN
Gentoo	any	all	net-libs/xulrunner	< 1.8.1.6	UNKNOWN