Package Instance

iDefense 
has informed Mozilla about two potential buffer overflow
vulnerabilities found by researcher regenrecht
in the Network Security Services (NSS) code for processing 
the SSLv2 protocol.SSL clients such as Firefox and Thunderbird can suffer
a buffer overflow if a malicious server presents a certificate
with a public key that is too small to encrypt the entire
"Master Secret". Exploiting this overflow appears to be
unreliable but possible if the SSLv2 protocol is enabled.Servers that use NSS 
for the SSLv2 protocol can be exploited by
a client that presents a "Client Master Key" with invalid length
values in any of several fields that are used without adequate
error checking. This can lead to a buffer overflow that
presumably could be exploitable.Support for SSLv2 is disabled in Firefox 2 due to other known
weaknesses in the protocol; Firefox 2 is not vulnerable unless
the user has modified hidden internal NSS settings to
re-enable SSLv2 support.

Michal Zalewski demonstrated that setting location.hostname
to a value with embedded null characters can confuse the browsers domain
checks. Setting the value triggers a load, but the networking software reads
the hostname only up to the null character while other checks for "parent
domain" start at the right and so can have a completely different idea of what
the current host is.This cannot be used for a direct same-origin violation to perform cross-site
scripting: those checks are performed on the complete hostname including
the nulls. However, other mechanisms rely on matching parent domains and those
can be fooled by this trick. For example, this flaw allows a malicious page
to set domain cookies for any arbitrary site, which might be useful in a
session-fixation attack. This also allows setting document.domain to any
arbitrary value which could be used to perform a cross-site scripting
attack against any page which also sets document.domain.

Aad reported that two web pages can collide in the disk cache
with the result that depending on order loaded the end of the longer
document can be appended to the shorter when the shorter is reloaded from
the cache. It is possible a determined hacker could construct a targeted
attack to steal some sensitive data from a particular web page (for example,
transaction history from a financial account). The potential victim would
have to be already logged into the targeted service (or be fooled into doing
so) and then visit the malicious site.We have not calculated how much effort would be required to compute a colliding
URL on a different host from the target page.

moz_bug_r_a4 reports that the fix for

MFSA 2006-72 in Firefox 1.5.0.9 and Firefox 2.0.0.1
introduced a regression that allows scripts from web content
to execute arbitrary code by setting the src
attribute of an IMG tag to a specially crafted
javascript: URI.The same regression also caused javascript: URIs in
IMG tags to be executed even if JavaScript
execution was disabled in the global preferences. This facet was
noted by moz_bug_r_a4 and reported independently by
Anbo Motohiko.Thunderbird is not affected by this flaw as it will not execute
javascript: URIs in IMG tags.

shutdown reported that if you could convince a user to
open a blocked popup you could perform a cross-site scripting attack against
any site that contains a frame whose source is a data: URL. To accomplish this
the attacker's site would have to frame the target site plus another frame
whose source is the exact same data: url as the victim site, and then
attempt to open a popup with a javascript: url from the data: frame. It is
unclear whether any high-value target sites that match this description
actually exist.Similarly, Michal Zalewski reported that although pages
loaded from the web normally cannot open windows containing local files,
if you could convince a user to open a blocked popup then this restriction
could be bypassed. In order to take advantage of this flaw the attacker
would have to know the full path to a locally-saved file containing
malicious script. He also reported that a flaw in the seeding of the
pseudo-random number generator resulted in downloaded files being
saved to temporary files with a reasonably predictable name. The two combined
could be used to steal information saved on the local disk.

As part of the Firefox 2.0.0.2  and 1.5.0.10 update releases we fixed
several bugs to improve the stability of the product. Some of these were
crashes that showed evidence of memory corruption and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code.Thunderbird shares the browser engine with Firefox
and could be vulnerable if JavaScript were to be enabled in
mail. This is not the default setting and we strongly discourage users from
running JavaScript in mail. Without further investigation we cannot rule out
the possibility that for some of these an attacker might be able to prepare
memory for exploitation through some means other than JavaScript, such as
large images.

David Eckel reported that browser UI elements--such as the host name
and security indicators--could be spoofed by using a large, mostly
transparent, custom cursor and adjusting the CSS3 hotspot property
so that the visible part of the cursor floated outside the browser
content area.This feature was introduced in Firefox 1.5 and does not affect products
based on Mozilla 1.7 or earlier such as Firefox 1.0

Michal Zalewski reported a memory corruption vulnerability in Firefox
2.0.0.1 involving mixing the onUnload event handler and self-modifying
document.write() calls. This flaw was introduced in Firefox 2.0.0.1
and 1.5.0.9 and does not affect earlier versions; it is fixed in
Firefox 2.0.0.2 and 1.5.0.10