<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200608-02"> <title>Mozilla SeaMonkey: Multiple vulnerabilities</title> <synopsis> The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla SeaMonkey. </synopsis> <product type="ebuild">SeaMonkey</product> <announced>2006-08-03</announced> <revised count="01">2006-08-03</revised> <bug>141842</bug> <access>remote</access> <affected> <package name="www-client/seamonkey" auto="yes" arch="*"> <unaffected range="ge">1.0.3</unaffected> <vulnerable range="lt">1.0.3</vulnerable> </package> </affected> <background> <p> The Mozilla SeaMonkey project is a community effort to deliver production-quality releases of code derived from the application formerly known as "Mozilla Application Suite". </p> </background> <description> <p> The following vulnerabilities have been reported: </p> <ul> <li>Benjamin Smedberg discovered that chrome URL's could be made to reference remote files.</li> <li>Developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients, which could lead to the execution of arbitrary code by a remote attacker.</li> <li>"shutdown" reports that cross-site scripting (XSS) attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which created a function that appeared to belong to the window in question even after it had been navigated to the target site.</li> <li>"shutdown" reports that scripts granting the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context.</li> <li>"moz_bug_r_a4" reports that A malicious Proxy AutoConfig (PAC) server could serve a PAC script that can execute code with elevated privileges by setting the required FindProxyForURL function to the eval method on a privileged object that leaked into the PAC sandbox.</li> <li>"moz_bug_r_a4" discovered that Named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior).</li> <li>Igor Bukanov and shutdown found additional places where an untimely garbage collection could delete a temporary object that was in active use.</li> <li>Georgi Guninski found potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments.</li> <li>H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object.</li> <li>A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page.</li> <li>Secunia Research has discovered a vulnerability which is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events. This leads to use of a deleted timer object.</li> <li>An anonymous researcher for TippingPoint and the Zero Day Initiative showed that when used in a web page Java would reference properties of the window.navigator object as it started up.</li> <li>Thilo Girmann discovered that in certain circumstances a JavaScript reference to a frame or window was not properly cleared when the referenced content went away.</li> </ul> </description> <impact type="normal"> <p> A user can be enticed to open specially crafted URLs, visit webpages containing malicious JavaScript or execute a specially crafted script. These events could lead to the execution of arbitrary code, or the installation of malware on the user's computer. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All Thunderbird users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=www-client/seamonkey-1.0.3"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113">CVE-2006-3113</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3677">CVE-2006-3677</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3801">CVE-2006-3801</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802">CVE-2006-3802</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803">CVE-2006-3803</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804">CVE-2006-3804</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805">CVE-2006-3805</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806">CVE-2006-3806</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807">CVE-2006-3807</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3808">CVE-2006-3808</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809">CVE-2006-3809</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810">CVE-2006-3810</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811">CVE-2006-3811</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812">CVE-2006-3812</uri> </references> <metadata tag="requester" timestamp="2006-07-28T14:37:24Z"> DerCorny </metadata> <metadata tag="submitter" timestamp="2006-07-28T18:00:11Z"> dizzutch </metadata> <metadata tag="bugReady" timestamp="2006-08-03T16:55:20Z"> DerCorny </metadata> </glsa>