Mozilla Linux Command Line URL Parsing Security Flaw Reported
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mozilla Linux Command Line URL Parsing Security Flaw Reported
Quote:
A critical input validation security vulnerability affecting Linux versions of Mozilla Firefox and the Mozilla Application Suite has been reported today. The flaw could allow an attacker to execute arbitrary commands on a victim's system. The bug exists in the Linux shell scripts that Firefox and the Mozilla Application Suite rely on to parse URLs supplied on the command line or by external programs. If the supplied URL contains any Linux commands enclosed in backticks, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.
Mozilla Firefox 1.0.7, a security and stability update to the flagship Mozilla browser, is now available for download. Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.0.x security updates have been resolved.
Mozilla 1.7.12, a security and stability update to the Mozilla Application Suite, is now available for download. Fixes are included for the international domain name (IDN) link buffer overflow vulnerability and the Linux command line URL parsing flaw. There are also other security and stability changes, including a fix for a crash experienced when using certain Proxy Auto-Config scripts. In addition, some regressions introduced by previous 1.7.x security updates have been resolved. If this description sounds like our article on Mozilla Firefox 1.0.7, that's because most of the fixes included in the two releases are the same.
I have read on secunia.com that Thunderbird has the same flaw. mozilla.org says that a workaround is "Do not click on links in spam or other mail from people you don't know. " and "Do not use the affected programs as the default handler for URLs. "
you are correct, rjw1678... personally, i do find it a little odd that a thunderbird 1.0.7 wasn't released parallel to firefox 1.0.7, but i'm sure there's a rational explanation...
yes, notice how they mention firefox, thunderbird, and mozilla as affected products:
Quote:
Products: Firefox, Thunderbird, Mozilla Suite
yet for "fixed in" thunderbird isn't mentioned:
Quote:
Fixed in: Firefox 1.0.7
Mozilla Suite 1.7.12
and of course if you go into secunia.com you will see on the front page the extremely critical advisory for thunderbird, as it's still listed as unpatched at the time of this post:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.