GLSA-200408-22 : Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities

Critical Nessus Plugin ID 14578


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200408-22 (Mozilla, Firefox, Thunderbird, Galeon, Epiphany: New releases fix vulnerabilities)

Mozilla, Galeon, Epiphany, Mozilla Firefox and Mozilla Thunderbird contain the following vulnerabilities:
All Mozilla tools use libpng for graphics. This library contains a buffer overflow which may lead to arbitrary code execution.
If a user imports a forged Certificate Authority (CA) certificate, it may overwrite and corrupt the valid CA already installed on the machine.
Mozilla, Mozilla Firefox, and other gecko-based browsers also contain a bug in their caching which may allow the SSL icon to remain visible, even when the site in question is an insecure site.
Impact :

Users of Mozilla, Mozilla Firefox, and other gecko-based browsers are susceptible to SSL certificate spoofing, a Denial of Service against legitimate SSL sites, crashes, and arbitrary code execution. Users of Mozilla Thunderbird are susceptible to crashes and arbitrary code execution via malicious e-mails.
Workaround :

There is no known workaround for most of these vulnerabilities. All users are advised to upgrade to the latest available version.


All users should upgrade to the latest stable version:
# emerge sync # emerge -pv your-version # emerge your-version

See Also

Plugin Details

Severity: Critical

ID: 14578

File Name: gentoo_GLSA-200408-22.nasl

Version: $Revision: 1.15 $

Type: local

Published: 2004/08/30

Modified: 2015/04/13

Dependencies: 12634

Risk Information

Risk Factor: Critical


Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:epiphany, p-cpe:/a:gentoo:linux:galeon, p-cpe:/a:gentoo:linux:mozilla, p-cpe:/a:gentoo:linux:mozilla-bin, p-cpe:/a:gentoo:linux:mozilla-firefox, p-cpe:/a:gentoo:linux:mozilla-firefox-bin, p-cpe:/a:gentoo:linux:mozilla-thunderbird, p-cpe:/a:gentoo:linux:mozilla-thunderbird-bin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2004/08/23

Vulnerability Publication Date: 2004/06/29

Reference Information

CVE: CVE-2004-0597, CVE-2004-0598, CVE-2004-0599, CVE-2004-0758, CVE-2004-0763

OSVDB: 7939, 8310, 8312, 8313, 8314, 8315, 8316, 8326

GLSA: 200408-22