__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Firefox Security Update [Red Hat RHSA-2007:0400-3] May 31, 2007 18:00 GMT Number R-255 [REVISED 15 June 2007] [REVISED 22 June 2007] [REVISED 7 Dec 2007] ______________________________________________________________________________ PROBLEM: There are several vulnerabilities in the way Firefox: 1) processed certain malformed JavaScript code; 2) handled certain FPT PASV commands; 3) handled certain form and cookie data; 4) handled the addEventListener JavaScript method; and 5) displayed certain web content. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS, ES, WS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Debian GNU/Linux 4.0 (etch) Solaris 8, 9, 10 DAMAGE: 1) A web page containing malicious JabaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running firefox; 2) A malicious FPT server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall; 3) A malicious web site that is able to set arbitrary form and cookie data could prevent Firefox from functioning properly; 4) A malicious web site could use this method to access or modify sensitive data from another web site; and 5) A malicious web page could generate content that would overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could execute arbitrary code as user ASSESSMENT: running Firefox. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-255.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0400.html ADDITIONAL LINKS: http://www.debian.org/security/2007/dsa-1300 http://www.debian.org/security/2007/dsa-1308 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-103125-1 http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-103136-1 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1362 CVE-2007-1562 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 ______________________________________________________________________________ REVISION HISTORY: 06/15/2007 - revised R-255 to add a link to Debian Security Advisories DSA-1300-1 for Debian GNU/Linux 4.0 (etch). 06/22/2007 - revised R-255 to add a link to Debian Security Advisory DSA-1308-1 for Debian GNU/Linux 4.0 (etch). 12/07/2007 - revised R-255 to add links to Sun Alert ID: 103125 and 103136 for Mozilla v1.7, Solaris 8, 9, 10. [***** Start Red Hat RHSA-2007:0400-3 *****] Critical: firefox security update Advisory: RHSA-2007:0400-3 Type: Security Advisory Severity: Critical Issued on: 2007-05-30 Last updated on: 2007-05-30 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Desktop (v. 4) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux AS (v. 4) Red Hat Enterprise Linux Desktop (v. 5 client) Red Hat Enterprise Linux ES (v. 4) Red Hat Enterprise Linux WS (v. 4) OVAL: com.redhat.rhsa-20070400.xml CVEs (cve.mitre.org): CVE-2007-1362 CVE-2007-1562 CVE-2007-2867 CVE-2007-2868 CVE-2007-2869 CVE-2007-2870 CVE-2007-2871 Details Updated firefox packages that fix several security bugs are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having critical security impact by the Red Hat Security Response Team. Mozilla Firefox is an open source Web browser. Several flaws were found in the way Firefox processed certain malformed JavaScript code. A web page containing malicious JavaScript code could cause Firefox to crash or potentially execute arbitrary code as the user running Firefox. (CVE-2007-2867, CVE-2007-2868) A flaw was found in the way Firefox handled certain FTP PASV commands. A malicious FTP server could use this flaw to perform a rudimentary port-scan of machines behind a user's firewall. (CVE-2007-1562) Several denial of service flaws were found in the way Firefox handled certain form and cookie data. A malicious web site that is able to set arbitrary form and cookie data could prevent Firefox from functioning properly. (CVE-2007-1362, CVE-2007-2869) A flaw was found in the way Firefox handled the addEventListener JavaScript method. A malicious web site could use this method to access or modify sensitive data from another web site. (CVE-2007-2870) A flaw was found in the way Firefox displayed certain web content. A malicious web page could generate content that would overlay user interface elements such as the hostname and security indicators, tricking users into thinking they are visiting a different site. (CVE-2007-2871) Users of Firefox are advised to upgrade to these erratum packages, which contain Firefox version 1.5.0.12 that corrects these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: devhelp-devel-0.12-11.el5.i386.rpm 77fe09441514cd6482f4596362485343 firefox-devel-1.5.0.12-1.el5.i386.rpm fa39c7e1fd6232e62b3d9a4f53acbc9b x86_64: devhelp-devel-0.12-11.el5.i386.rpm 77fe09441514cd6482f4596362485343 devhelp-devel-0.12-11.el5.x86_64.rpm 141d1df1f9e83521808efafd42f944fc firefox-devel-1.5.0.12-1.el5.i386.rpm fa39c7e1fd6232e62b3d9a4f53acbc9b firefox-devel-1.5.0.12-1.el5.x86_64.rpm e048eb9adb9dd967d1630c1fe4778f98 Red Hat Desktop (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.5.0.12-0.1.el4.src.rpm b65c0e149c9a2a99e4dd19f127301bcc IA-32: firefox-1.5.0.12-0.1.el4.i386.rpm 86978cc9d7fe03d6826c77516ebdadf0 x86_64: firefox-1.5.0.12-0.1.el4.x86_64.rpm 99e6f6963881507969dfc748202452df Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: devhelp-0.12-11.el5.src.rpm 85adab21471a9e46c5d0cb5816bbbcff firefox-1.5.0.12-1.el5.src.rpm b0645efeba60c77ad740a212d465b453 yelp-2.16.0-15.el5.src.rpm ed0f92a5a1721891f10cfadf08b3782f IA-32: devhelp-0.12-11.el5.i386.rpm b7958042531e8f6b5931605a0f2d17fc devhelp-devel-0.12-11.el5.i386.rpm 77fe09441514cd6482f4596362485343 firefox-1.5.0.12-1.el5.i386.rpm 7b959d51178a768c437bdc1fd1dc3e3c firefox-devel-1.5.0.12-1.el5.i386.rpm fa39c7e1fd6232e62b3d9a4f53acbc9b yelp-2.16.0-15.el5.i386.rpm c0e883b6c8d47a1fbce33dc3133161de IA-64: devhelp-0.12-11.el5.ia64.rpm bb162cf991018497ba2107bd312acb48 devhelp-devel-0.12-11.el5.ia64.rpm b565891923dc59b5d4d8d1e9261dba0b firefox-1.5.0.12-1.el5.ia64.rpm 76e85b583ef60111b84983938e96004d firefox-devel-1.5.0.12-1.el5.ia64.rpm 035d9cf222fe66a807e63c1d346376ac yelp-2.16.0-15.el5.ia64.rpm e1fc1489d821f1175b30f7af2bf80bb2 PPC: devhelp-0.12-11.el5.ppc.rpm 71d19c30096ca87d8fbc8740652e9a00 devhelp-devel-0.12-11.el5.ppc.rpm 6aefe858236f2e1e1406cd5fea314d02 firefox-1.5.0.12-1.el5.ppc.rpm 88a37e6d10a175a50737a8b6c767c561 firefox-devel-1.5.0.12-1.el5.ppc.rpm cf551a704d6cc2f33ce8086dcb6f4884 yelp-2.16.0-15.el5.ppc.rpm 2fda60703e56ff7998740ce624c4157c s390x: devhelp-0.12-11.el5.s390.rpm 96802b267541ad3c0d5d8253eac7a0f6 devhelp-0.12-11.el5.s390x.rpm 25fdb9f47687b447a85fdabdf9df80e5 devhelp-devel-0.12-11.el5.s390.rpm fa7ccd2ecc5ef946a26963e99fbb5ce1 devhelp-devel-0.12-11.el5.s390x.rpm b4f3cbab3249f5e63c659a4787f76af1 firefox-1.5.0.12-1.el5.s390.rpm 7ea83a23a6e3de26b34d0585b7c12d10 firefox-1.5.0.12-1.el5.s390x.rpm bd45b8871ccbcbc35ff43b25a36210fa firefox-devel-1.5.0.12-1.el5.s390.rpm 71196dd2cad1dc1b89b1354937abfa22 firefox-devel-1.5.0.12-1.el5.s390x.rpm fdb884e4d38b109868c6d7445b8c454b yelp-2.16.0-15.el5.s390x.rpm 1b84f778dcc83da7ca2a3fd4a92206a1 x86_64: devhelp-0.12-11.el5.i386.rpm b7958042531e8f6b5931605a0f2d17fc devhelp-0.12-11.el5.x86_64.rpm 47012533019d250c132ebbd97e87d227 devhelp-devel-0.12-11.el5.i386.rpm 77fe09441514cd6482f4596362485343 devhelp-devel-0.12-11.el5.x86_64.rpm 141d1df1f9e83521808efafd42f944fc firefox-1.5.0.12-1.el5.i386.rpm 7b959d51178a768c437bdc1fd1dc3e3c firefox-1.5.0.12-1.el5.x86_64.rpm 244bb754d6039cc48c144c5f45052260 firefox-devel-1.5.0.12-1.el5.i386.rpm fa39c7e1fd6232e62b3d9a4f53acbc9b firefox-devel-1.5.0.12-1.el5.x86_64.rpm e048eb9adb9dd967d1630c1fe4778f98 yelp-2.16.0-15.el5.x86_64.rpm 35f3463a249179df63b98239cf4e3cbc Red Hat Enterprise Linux AS (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.5.0.12-0.1.el4.src.rpm b65c0e149c9a2a99e4dd19f127301bcc IA-32: firefox-1.5.0.12-0.1.el4.i386.rpm 86978cc9d7fe03d6826c77516ebdadf0 IA-64: firefox-1.5.0.12-0.1.el4.ia64.rpm 91a38b7498a5e459ad2be38100282550 PPC: firefox-1.5.0.12-0.1.el4.ppc.rpm 30e7be931ea1331c2971df5e108e50eb s390: firefox-1.5.0.12-0.1.el4.s390.rpm efb2e30a6beedd50881f3ec66db89d48 s390x: firefox-1.5.0.12-0.1.el4.s390x.rpm 7abeac347fe36f9b99c2da0e7297407b x86_64: firefox-1.5.0.12-0.1.el4.x86_64.rpm 99e6f6963881507969dfc748202452df Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: devhelp-0.12-11.el5.src.rpm 85adab21471a9e46c5d0cb5816bbbcff firefox-1.5.0.12-1.el5.src.rpm b0645efeba60c77ad740a212d465b453 yelp-2.16.0-15.el5.src.rpm ed0f92a5a1721891f10cfadf08b3782f IA-32: devhelp-0.12-11.el5.i386.rpm b7958042531e8f6b5931605a0f2d17fc firefox-1.5.0.12-1.el5.i386.rpm 7b959d51178a768c437bdc1fd1dc3e3c yelp-2.16.0-15.el5.i386.rpm c0e883b6c8d47a1fbce33dc3133161de x86_64: devhelp-0.12-11.el5.i386.rpm b7958042531e8f6b5931605a0f2d17fc devhelp-0.12-11.el5.x86_64.rpm 47012533019d250c132ebbd97e87d227 firefox-1.5.0.12-1.el5.i386.rpm 7b959d51178a768c437bdc1fd1dc3e3c firefox-1.5.0.12-1.el5.x86_64.rpm 244bb754d6039cc48c144c5f45052260 yelp-2.16.0-15.el5.x86_64.rpm 35f3463a249179df63b98239cf4e3cbc Red Hat Enterprise Linux ES (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.5.0.12-0.1.el4.src.rpm b65c0e149c9a2a99e4dd19f127301bcc IA-32: firefox-1.5.0.12-0.1.el4.i386.rpm 86978cc9d7fe03d6826c77516ebdadf0 IA-64: firefox-1.5.0.12-0.1.el4.ia64.rpm 91a38b7498a5e459ad2be38100282550 x86_64: firefox-1.5.0.12-0.1.el4.x86_64.rpm 99e6f6963881507969dfc748202452df Red Hat Enterprise Linux WS (v. 4) -------------------------------------------------------------------------------- SRPMS: firefox-1.5.0.12-0.1.el4.src.rpm b65c0e149c9a2a99e4dd19f127301bcc IA-32: firefox-1.5.0.12-0.1.el4.i386.rpm 86978cc9d7fe03d6826c77516ebdadf0 IA-64: firefox-1.5.0.12-0.1.el4.ia64.rpm 91a38b7498a5e459ad2be38100282550 x86_64: firefox-1.5.0.12-0.1.el4.x86_64.rpm 99e6f6963881507969dfc748202452df (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 241670 - CVE-2007-1362 Multiple Firefox flaws (CVE-2007-1562, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2870, CVE-2007-2871) References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1362 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2867 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2868 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2869 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2871 http://www.redhat.com/security/updates/classification/#critical -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0400-3 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-245: Vulnerability in Crypto Library R-246: Multiple Vulnerabilities in Cisco IOS while Processing SSL Packets R-247: Apple Security Update 2007-005 R-248: Security Vulnerabilities in the SOCKS Module of Sun Java System Web Proxy R-249: Avast! Antivirus Vulnerability R-250: File Security Update R-251: Apple QuickTime 7.1.6 Security Update R-252: Mozilla Layout Engine Vulnerable R-253: SeaMonkey Security Update R-254: Thunderbird Security Update