FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

firefox & mozilla -- buffer overflow vulnerability

Affected packages
firefox < 1.0.6_5,1
linux-firefox < 1.0.7
mozilla < 1.7.11_1,2
1.8.*,2 <= mozilla < 1.8.b1_5,2
linux-mozilla < 1.7.12
0 < linux-mozilla-devel
0 <= netscape7
0 <= de-linux-mozillafirebird
0 <= el-linux-mozillafirebird
0 <= ja-linux-mozillafirebird-gtk1
0 <= ja-mozillafirebird-gtk2
0 <= linux-mozillafirebird
0 <= ru-linux-mozillafirebird
0 <= zhCN-linux-mozillafirebird
0 <= zhTW-linux-mozillafirebird
0 <= de-linux-netscape
0 <= de-netscape7
0 <= fr-linux-netscape
0 <= fr-netscape7
0 <= ja-linux-netscape
0 <= ja-netscape7
0 <= linux-netscape
0 <= linux-phoenix
0 <= mozilla+ipv6
0 <= mozilla-embedded
0 <= mozilla-firebird
0 <= mozilla-gtk
0 <= mozilla-gtk1
0 <= mozilla-gtk2
0 <= mozilla-thunderbird
0 <= phoenix
0 <= pt_BR-netscape7

Details

VuXML ID 8665ebb9-2237-11da-978e-0001020eed82
Discovery 2005-09-08
Entry 2005-09-10
Modified 2005-10-26

Tom Ferris reports:

A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host.

The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead.

[source]

Note: It is possible to disable IDN support as a workaround to protect against this buffer overflow. How to do this is described on the What Firefox and Mozilla users should know about the IDN buffer overflow security issue web page.

References

Bugtraq ID 14784
CERT/CC Vulnerability Note 573857
CVE Name CVE-2005-2871
URL http://marc.theaimsgroup.com/?l=full-disclosure&m=112624614008387
URL http://www.mozilla.org/security/announce/mfsa2005-57.html
URL http://www.mozilla.org/security/idn.html
URL https://bugzilla.mozilla.org/show_bug.cgi?id=307259

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.