GLSA-200509-11 : Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities
High Nessus Plugin ID 19810
Synopsis
The remote Gentoo host is missing one or more security-related patches.
Description
The remote host is affected by the vulnerability described in GLSA-200509-11 (Mozilla Suite, Mozilla Firefox: Multiple vulnerabilities)
The Mozilla Suite and Firefox are both vulnerable to the following issues:
Tom Ferris reported a heap overflow in IDN-enabled browsers with malicious Host: headers (CAN-2005-2871).
'jackerror' discovered a heap overrun in XBM image processing (CAN-2005-2701).
Mats Palmgren reported a potentially exploitable stack corruption using specific Unicode sequences (CAN-2005-2702).
Georgi Guninski discovered an integer overflow in the JavaScript engine (CAN-2005-2705) Other issues ranging from DOM object spoofing to request header spoofing were also found and fixed in the latest versions (CAN-2005-2703, CAN-2005-2704, CAN-2005-2706, CAN-2005-2707).
The Gecko engine in itself is also affected by some of these issues and has been updated as well.
Impact :
A remote attacker could setup a malicious site and entice a victim to visit it, potentially resulting in arbitrary code execution with the victim's privileges or facilitated spoofing of known websites.
Workaround :
There is no known workaround for all the issues.
Solution
All Mozilla Firefox users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-firefox-1.0.7-r2' All Mozilla Suite users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-1.7.12-r2' All Mozilla Firefox binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-firefox-bin-1.0.7' All Mozilla Suite binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=www-client/mozilla-bin-1.7.12' All Gecko library users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=net-libs/gecko-sdk-1.7.12'