Red Hat 9038 Published by

Fedora Legacy Update Advisory

Synopsis: Updated mozilla packages fix security issues
Advisory ID: FLSA:168375
Issue date: 2006-01-09
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2005-2701 CVE-2005-2702 CVE-2005-2703
CVE-2005-2704 CVE-2005-2705 CVE-2005-2706
CVE-2005-2707 CVE-2005-2871 CVE-2005-3089



---------------------------------------------------------------------
1. Topic:

Updated mozilla packages that fix several security bugs are now
available.

Mozilla is an open source Web browser, advanced email and newsgroup
client, IRC chat client, and HTML editor.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386

3. Problem description:

A bug was found in the way Mozilla processes XBM image files. If a user
views a specially crafted XBM file, it becomes possible to execute
arbitrary code as the user running Mozilla. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name
CVE-2005-2701 to this issue.

A bug was found in the way Mozilla processes certain Unicode sequences.
It may be possible to execute arbitrary code as the user running
Mozilla, if the user views a specially crafted Unicode sequence.
(CVE-2005-2702)

A bug was found in the way Mozilla makes XMLHttp requests. It is
possible that a malicious web page could leverage this flaw to exploit
other proxy or server flaws from the victim's machine. It is also
possible that this flaw could be leveraged to send XMLHttp requests to
hosts other than the originator; the default behavior of the browser is
to disallow this. (CVE-2005-2703)

A bug was found in the way Mozilla implemented its XBL interface. It may
be possible for a malicious web page to create an XBL binding in a way
that would allow arbitrary JavaScript execution with chrome permissions.
Please note that in Mozilla 1.7.10 this issue is not directly
exploitable and would need to leverage other unknown exploits.
(CVE-2005-2704)

An integer overflow bug was found in Mozilla's JavaScript engine. Under
favorable conditions, it may be possible for a malicious web page to
execute arbitrary code as the user running Mozilla. (CVE-2005-2705)

A bug was found in the way Mozilla displays about: pages. It is possible
for a malicious web page to open an about: page, such as about:mozilla,
in such a way that it becomes possible to execute JavaScript with chrome
privileges. (CVE-2005-2706)

A bug was found in the way Mozilla opens new windows. It is possible for
a malicious web site to construct a new window without any user
interface components, such as the address bar and the status bar. This
window could then be used to mislead the user for malicious purposes.
(CVE-2005-2707)

A bug was found in the way Mozilla processes certain international
domain names. An attacker could create a specially crafted HTML file,
which when viewed by the victim would cause Mozilla to crash or possibly
execute arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2005-2871 to this issue.

Users of Mozilla are advised to upgrade to these updated packages that
contain Mozilla version 1.7.12 and are not vulnerable to these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168375

6. RPMs required:

Red Hat Linux 7.3:

SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mozilla-1.7.12-0.73.2.legacy.src.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-chat-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-devel-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-js-debugger-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-mail-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/mozilla-nss-devel-1.7.12-0.73.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/galeon-1.2.14-0.73.5.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/mozilla-1.7.12-0.90.1.legacy.src.rpm
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/galeon-1.2.14-0.90.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-chat-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-devel-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-dom-inspector-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-js-debugger-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-mail-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nspr-devel-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/mozilla-nss-devel-1.7.12-0.90.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/galeon-1.2.14-0.90.5.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/mozilla-1.7.12-1.1.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.5.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-chat-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-devel-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-dom-inspector-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-js-debugger-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-mail-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nspr-devel-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/mozilla-nss-devel-1.7.12-1.1.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/epiphany-1.0.8-1.fc1.5.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/mozilla-1.7.12-1.2.1.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.6.legacy.src.rpm
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.9.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-chat-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-devel-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-dom-inspector-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-js-debugger-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-mail-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nspr-devel-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/mozilla-nss-devel-1.7.12-1.2.1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/epiphany-1.2.10-0.2.6.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-0.9.1-0.2.9.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.9.legacy.i386.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

0ae10dbacdb2472a628a50bf8c5e8f2f54c05e8b
redhat/7.3/updates/i386/mozilla-1.7.12-0.73.2.legacy.i386.rpm
bff4f2c1d9275bd23d77485aaba9cba2711cd059
redhat/7.3/updates/i386/mozilla-chat-1.7.12-0.73.2.legacy.i386.rpm
f03b386ccc78f9e7701e9a13bc7b8d20a1ffa6a1
redhat/7.3/updates/i386/mozilla-devel-1.7.12-0.73.2.legacy.i386.rpm
07c3079647613a446cc228c52dd30bf680577a7a
redhat/7.3/updates/i386/mozilla-dom-inspector-1.7.12-0.73.2.legacy.i386.rpm
6b784f7a3d316f2cba036edff3de9b0655a931a0
redhat/7.3/updates/i386/mozilla-js-debugger-1.7.12-0.73.2.legacy.i386.rpm
3117c8a563e96c6680a67d54838cb80edd2d1bdb
redhat/7.3/updates/i386/mozilla-mail-1.7.12-0.73.2.legacy.i386.rpm
7c8a98aa917aa25a8da0111ddf0dd14af97dae29
redhat/7.3/updates/i386/mozilla-nspr-1.7.12-0.73.2.legacy.i386.rpm
af0566c481a1c71ca829acbe1a6236a0c8357500
redhat/7.3/updates/i386/mozilla-nspr-devel-1.7.12-0.73.2.legacy.i386.rpm
13f7e9de34bde44148fc937b8af67a646d05a088
redhat/7.3/updates/i386/mozilla-nss-1.7.12-0.73.2.legacy.i386.rpm
38a2c8ae78b113999ca96cb6e6cded4546e8d12f
redhat/7.3/updates/i386/mozilla-nss-devel-1.7.12-0.73.2.legacy.i386.rpm
d4ed2b56c7c9d3fce0798f8c8896532513e39cd0
redhat/7.3/updates/SRPMS/mozilla-1.7.12-0.73.2.legacy.src.rpm
5e150015de68be25c45dad3a1bd9b3a2d377845c
redhat/7.3/updates/i386/galeon-1.2.14-0.73.5.legacy.i386.rpm
386ee463b84c4749942c1cb0c9f9f56111729c1c
redhat/7.3/updates/SRPMS/galeon-1.2.14-0.73.5.legacy.src.rpm

5282b6d81fa7dbd45f506921da3800fa233ace20
redhat/9/updates/i386/mozilla-1.7.12-0.90.1.legacy.i386.rpm
c4ae587e77b7905666079958c199f01726542afb
redhat/9/updates/i386/mozilla-chat-1.7.12-0.90.1.legacy.i386.rpm
65dd772102dd18492e3d1dcf57c25c8e2dc266b4
redhat/9/updates/i386/mozilla-devel-1.7.12-0.90.1.legacy.i386.rpm
d9037fbae761a3be89464b49a3e4d0144fe5f902
redhat/9/updates/i386/mozilla-dom-inspector-1.7.12-0.90.1.legacy.i386.rpm
7286328e5e852d54054842499991b757a611764a
redhat/9/updates/i386/mozilla-js-debugger-1.7.12-0.90.1.legacy.i386.rpm
ce0434655656869055dd1c241d8e4ec87b116332
redhat/9/updates/i386/mozilla-mail-1.7.12-0.90.1.legacy.i386.rpm
f8b6ac8a06f09586dae8c0b6b5ee1ac477441a9b
redhat/9/updates/i386/mozilla-nspr-1.7.12-0.90.1.legacy.i386.rpm
4e3e35121ee0b7af06741ed55b8940dbfff75729
redhat/9/updates/i386/mozilla-nspr-devel-1.7.12-0.90.1.legacy.i386.rpm
084505eb96bf88a56674de30742f65488456b605
redhat/9/updates/i386/mozilla-nss-1.7.12-0.90.1.legacy.i386.rpm
cdf65aa899b79b48e0887ef39ca91302e6d15681
redhat/9/updates/i386/mozilla-nss-devel-1.7.12-0.90.1.legacy.i386.rpm
5a2acb7f2793efb7f10255b92612e77a1d9e65bb
redhat/9/updates/SRPMS/mozilla-1.7.12-0.90.1.legacy.src.rpm
74020053368e66bfd9efce5ba562c63f69a577d6
redhat/9/updates/i386/galeon-1.2.14-0.90.5.legacy.i386.rpm
2b4d838851a2281850c46ba31431e648a00499a3
redhat/9/updates/SRPMS/galeon-1.2.14-0.90.5.legacy.src.rpm

18c32412474b8a52d801d2fc4ed81495b68ea951
fedora/1/updates/i386/mozilla-1.7.12-1.1.1.legacy.i386.rpm
07750f8d1e9c3837fb6914501da8dfea7d4020d4
fedora/1/updates/i386/mozilla-chat-1.7.12-1.1.1.legacy.i386.rpm
ab9fc23d55b6d15343033e0c8ed9421dc3863722
fedora/1/updates/i386/mozilla-devel-1.7.12-1.1.1.legacy.i386.rpm
6847a3a144b5f35d03fadefcc908c94b865905d3
fedora/1/updates/i386/mozilla-dom-inspector-1.7.12-1.1.1.legacy.i386.rpm
7f1d643d23e0d0f03230b6f5737d00cf2a1668b9
fedora/1/updates/i386/mozilla-js-debugger-1.7.12-1.1.1.legacy.i386.rpm
881f6ca2c2db756f3f5def713824f4d7081e3493
fedora/1/updates/i386/mozilla-mail-1.7.12-1.1.1.legacy.i386.rpm
ccf82ba2d865f59f45160ac3f01b5f1bb9b30dde
fedora/1/updates/i386/mozilla-nspr-1.7.12-1.1.1.legacy.i386.rpm
5e7d244a529051309619e1c4ff11ecc556e4eae6
fedora/1/updates/i386/mozilla-nspr-devel-1.7.12-1.1.1.legacy.i386.rpm
aa8c2bce17d85f5233060849bb49472ddaf5565f
fedora/1/updates/i386/mozilla-nss-1.7.12-1.1.1.legacy.i386.rpm
ff7b95a361c1d7687e9cffef62e069731652fdb2
fedora/1/updates/i386/mozilla-nss-devel-1.7.12-1.1.1.legacy.i386.rpm
78828bdf69c50385edce0ce157ec0eb6fc08146c
fedora/1/updates/SRPMS/mozilla-1.7.12-1.1.1.legacy.src.rpm
06a88b65df00bd254ec70948c5e37e43d6484af4
fedora/1/updates/i386/epiphany-1.0.8-1.fc1.5.legacy.i386.rpm
7562c2a419340f1d5e3fe57073af7a4f1f126306
fedora/1/updates/SRPMS/epiphany-1.0.8-1.fc1.5.legacy.src.rpm

2b7201d0640279090ba36b881cee56444f12a9b6
fedora/2/updates/i386/mozilla-1.7.12-1.2.1.legacy.i386.rpm
7158928cb2a91dd5acfbbe6d4cd90bdb93060178
fedora/2/updates/i386/mozilla-chat-1.7.12-1.2.1.legacy.i386.rpm
c21b66c22ded12a42375d75724673b7a1816543b
fedora/2/updates/i386/mozilla-devel-1.7.12-1.2.1.legacy.i386.rpm
eddc9d39ddfb6562ad22c793ff9ba945ab4f4f78
fedora/2/updates/i386/mozilla-dom-inspector-1.7.12-1.2.1.legacy.i386.rpm
2f95ea57e64e31484cdb3ae7c74eddbad8aa43b0
fedora/2/updates/i386/mozilla-js-debugger-1.7.12-1.2.1.legacy.i386.rpm
2853941cb5115c58b0f02f61abe883d00186707b
fedora/2/updates/i386/mozilla-mail-1.7.12-1.2.1.legacy.i386.rpm
349a2fe95bf5e792a5dc4b981f1af31b7a02b520
fedora/2/updates/i386/mozilla-nspr-1.7.12-1.2.1.legacy.i386.rpm
f48748f29967b40255e8a64620612cc39d497340
fedora/2/updates/i386/mozilla-nspr-devel-1.7.12-1.2.1.legacy.i386.rpm
c9c6b6437bb73536aab3848e16d12090c376877d
fedora/2/updates/i386/mozilla-nss-1.7.12-1.2.1.legacy.i386.rpm
5e20ad8d5d237a7aec66ca6ed6a5b4de806db106
fedora/2/updates/i386/mozilla-nss-devel-1.7.12-1.2.1.legacy.i386.rpm
428bd0ee614bf6e25d473a82d666e5e9c7212f5a
fedora/2/updates/SRPMS/mozilla-1.7.12-1.2.1.legacy.src.rpm
04fd8328845ef860a6a61d3a8f001f8ce1aafcac
fedora/2/updates/i386/epiphany-1.2.10-0.2.6.legacy.i386.rpm
005dfc66f6dc4288457983397850db041f845e19
fedora/2/updates/SRPMS/epiphany-1.2.10-0.2.6.legacy.src.rpm
24d7a3574244da838fabb07f1ac91071e8015202
fedora/2/updates/i386/devhelp-0.9.1-0.2.9.legacy.i386.rpm
36480970cf8a3639a956192959ba6f766e6b819e
fedora/2/updates/i386/devhelp-devel-0.9.1-0.2.9.legacy.i386.rpm
c5c049361828b011e956bce2b07e21724b108ddb
fedora/2/updates/SRPMS/devhelp-0.9.1-0.2.9.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2701
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3089

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org