From security@mandriva.com Thu Oct 6 23:06:57 2005 From: Mandriva Security Team To: full-disclosure@lists.grok.org.uk Date: Thu, 06 Oct 2005 21:04:11 -0600 Subject: [Full-disclosure] MDKSA-2005:173 - Updated mozilla-firefox packages fix vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Update Advisory _______________________________________________________________________ Package name: mozilla-firefox Advisory ID: MDKSA-2005:173 Date: October 6th, 2005 Affected versions: 10.2, 2006.0 ______________________________________________________________________ Problem Description: New updates are available for Mozilla Firefox: A regression in the LE2005 Firefox package caused problems with cursor movement that has been fixed. The run-mozilla.sh script, with debugging enabled, would allow local users to create or overwrite arbitrary files via a symlink attack on temporary files (CAN-2005-2353). nsScriptSecurityManager::GetBaseURIScheme didn't handle jar:view-source:... correctly because the jar: and view-source: cases didn't use recursion as they were supposed to. This was corrected in Firefox 1.0.4 and only affects the LE2005 package. The updated packages have been patched to correct these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2353 ______________________________________________________________________ Updated Packages: Mandrivalinux 10.2: 8802442f13b423d32f90beab90b57b39 10.2/RPMS/libnspr4-1.0.2-10.1.102mdk.i586.rpm 490de6be6ed37670b498f1b32ce9911d 10.2/RPMS/libnspr4-devel-1.0.2-10.1.102mdk.i586.rpm 15bd80dbb1661d1991d7cb5d882de84b 10.2/RPMS/libnss3-1.0.2-10.1.102mdk.i586.rpm abb90d3203f570d84e0228214244c16a 10.2/RPMS/libnss3-devel-1.0.2-10.1.102mdk.i586.rpm 692a964ae2a2fc96bad0926ba57f6608 10.2/RPMS/mozilla-firefox-1.0.2-10.1.102mdk.i586.rpm 3d88f5181f16a5ac731c183af04973c0 10.2/RPMS/mozilla-firefox-devel-1.0.2-10.1.102mdk.i586.rpm 915ff77d3dabc2c821f7355d0fc379db 10.2/SRPMS/mozilla-firefox-1.0.2-10.1.102mdk.src.rpm Mandrivalinux 10.2/X86_64: a5b17c8a1142e20db9d69b934f54607d x86_64/10.2/RPMS/lib64nspr4-1.0.2-10.1.102mdk.x86_64.rpm f041b7de49dd120ddb63ba6b2d466feb x86_64/10.2/RPMS/lib64nspr4-devel-1.0.2-10.1.102mdk.x86_64.rpm 8802442f13b423d32f90beab90b57b39 x86_64/10.2/RPMS/libnspr4-1.0.2-10.1.102mdk.i586.rpm 490de6be6ed37670b498f1b32ce9911d x86_64/10.2/RPMS/libnspr4-devel-1.0.2-10.1.102mdk.i586.rpm 13b1057af97d829a4aae52cdb5f3bcab x86_64/10.2/RPMS/lib64nss3-1.0.2-10.1.102mdk.x86_64.rpm 42cbcf8cf37d45472d7d1d742cc91e22 x86_64/10.2/RPMS/lib64nss3-devel-1.0.2-10.1.102mdk.x86_64.rpm 15bd80dbb1661d1991d7cb5d882de84b x86_64/10.2/RPMS/libnss3-1.0.2-10.1.102mdk.i586.rpm abb90d3203f570d84e0228214244c16a x86_64/10.2/RPMS/libnss3-devel-1.0.2-10.1.102mdk.i586.rpm 83cb2e763eac7d6117daf62a4adb14ab x86_64/10.2/RPMS/mozilla-firefox-1.0.2-10.1.102mdk.x86_64.rpm 76ba06daf1900bbaa357744daec1060a x86_64/10.2/RPMS/mozilla-firefox-devel-1.0.2-10.1.102mdk.x86_64.rpm 915ff77d3dabc2c821f7355d0fc379db x86_64/10.2/SRPMS/mozilla-firefox-1.0.2-10.1.102mdk.src.rpm Mandrivalinux 2006.0: 4729fc4e3d1b10f2e16e94c23a5d55e9 2006.0/RPMS/libnspr4-1.0.6-16.1.20060mdk.i586.rpm bf450dbb8f1f20abfcc57b9decb30eb4 2006.0/RPMS/libnspr4-devel-1.0.6-16.1.20060mdk.i586.rpm 760d6ab6f917091183818d6946c4482f 2006.0/RPMS/libnss3-1.0.6-16.1.20060mdk.i586.rpm a9b14f14a73c89950b445c747f9c306c 2006.0/RPMS/libnss3-devel-1.0.6-16.1.20060mdk.i586.rpm 94adfb3dbdb796da0d2ab01b842e8351 2006.0/RPMS/mozilla-firefox-1.0.6-16.1.20060mdk.i586.rpm 01947ebf2c815bc36e955cc98ce23f27 2006.0/RPMS/mozilla-firefox-devel-1.0.6-16.1.20060mdk.i586.rpm 93f3763d032cd82e7b214afeecccd4a9 2006.0/SRPMS/mozilla-firefox-1.0.6-16.1.20060mdk.src.rpm Mandrivalinux 2006.0/X86_64: 68542f490600d394fd8246081a899894 x86_64/2006.0/RPMS/lib64nspr4-1.0.6-16.1.20060mdk.x86_64.rpm 3589f6d4e900c9c400c881861e50a927 x86_64/2006.0/RPMS/lib64nspr4-devel-1.0.6-16.1.20060mdk.x86_64.rpm 4729fc4e3d1b10f2e16e94c23a5d55e9 x86_64/2006.0/RPMS/libnspr4-1.0.6-16.1.20060mdk.i586.rpm bf450dbb8f1f20abfcc57b9decb30eb4 x86_64/2006.0/RPMS/libnspr4-devel-1.0.6-16.1.20060mdk.i586.rpm 7a7d70dd78e89ef04b1c1f69b3711bfe x86_64/2006.0/RPMS/lib64nss3-1.0.6-16.1.20060mdk.x86_64.rpm 8f7a198febbcd4c819b93eee2e4822ad x86_64/2006.0/RPMS/lib64nss3-devel-1.0.6-16.1.20060mdk.x86_64.rpm 760d6ab6f917091183818d6946c4482f x86_64/2006.0/RPMS/libnss3-1.0.6-16.1.20060mdk.i586.rpm a9b14f14a73c89950b445c747f9c306c x86_64/2006.0/RPMS/libnss3-devel-1.0.6-16.1.20060mdk.i586.rpm 8d72c505c3634bee91ed8a6d1add342d x86_64/2006.0/RPMS/mozilla-firefox-1.0.6-16.1.20060mdk.x86_64.rpm a1e80b35074ce98d49812d46f4f0de47 x86_64/2006.0/RPMS/mozilla-firefox-devel-1.0.6-16.1.20060mdk.x86_64.rpm 93f3763d032cd82e7b214afeecccd4a9 x86_64/2006.0/SRPMS/mozilla-firefox-1.0.6-16.1.20060mdk.src.rpm _______________________________________________________________________ Bug IDs fixed (see http://qa.mandriva.com for more information): 18980 - left/right keys on input text jump over several words _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFDReWqmqjQ0CJFipgRAmCkAJ9H8FBb+mttPOvoDbAbs1aDdjAoTQCbBIvB kb0UpSg5nxWw1XKVAu6BqgI= =bcU2 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/