Mozilla Multiple Product nsVCardObj.cpp writeGroup() Function Overflow

2004-08-29T15:51:00
ID OSVDB:9966
Type osvdb
Reporter Georgi Guninski(guninski@guninski.com)
Modified 2004-08-29T15:51:00

Description

Vulnerability Description

A local overflow exists in Mozilla-based applications and Netscape Navigator. The writegroup() function of the nsVCardObj.cpp component fails to ensure parameters with group properties (eg, TEL.HOME) are an acceptable length, resulting in a stack-based overflow. With a specially crafted vCard, an attacker can cause a denial of service condition, and possibly code execution, resulting in a loss of availability and integrity.

Solution Description

For Mozilla.org products, upgrade to Mozilla 1.7.3, Firefox 1.0PR, Thunderbird 0.8 or higher, as these have been confirmed to fix this vulnerability. An upgrade is required as there are no known workarounds.

For Netscape products, there are currently no known upgrades or patches available to correct this issue. It is possible to mitigate the flaw by disabling the preview pane in Netscape Mail & News. This will help avoid automatic exploitation upon receiving a malicious vCard; however, it will not prevent exploitation if the malicious vCard is viewed via a Netscape product by some other method, such as opening the message normally.

Short Description

A local overflow exists in Mozilla-based applications and Netscape Navigator. The writegroup() function of the nsVCardObj.cpp component fails to ensure parameters with group properties (eg, TEL.HOME) are an acceptable length, resulting in a stack-based overflow. With a specially crafted vCard, an attacker can cause a denial of service condition, and possibly code execution, resulting in a loss of availability and integrity.

References:

Vendor URL: http://www.mozilla.org/ Vendor Specific Advisory URL Security Tracker: 1011317 Security Tracker: 1011316 Security Tracker: 1011318 Secunia Advisory ID:12526 Secunia Advisory ID:12535 Secunia Advisory ID:12698 Secunia Advisory ID:12742 Secunia Advisory ID:12607 Secunia Advisory ID:12747 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200409-26.xml Other Advisory URL: http://www.suse.de/de/security/2004_36_mozilla.html Other Advisory URL: http://rhn.redhat.com/errata/RHSA-2004-486.html CVE-2004-0903