Mozilla, Firefox, and Thunderbird tar.gz package has insecure permissions
| mozilla-tar-insecure-permissions (17373) |  High Risk |
Description:
Mozilla versions prior to 1.7.3, Firefox versions prior to 1.0PR and Thunderbird versions prior to 0.8 running on Linux platforms could allow a local attacker to gain elevated privileges. The tar.gz package is installed with insecure permissions on Linux platforms. A local attacker could exploit this vulnerability to overwrite files and possibly execute arbitrary code on the system.
Consequences:
Gain Privileges
Remedy:
For Mozilla:
Upgrade to the latest version (1.7.3 or later), available from the Mozilla Web site. See References.
For Firefox:
Upgrade to the latest version (1.0PR or later), available from the Mozilla Web site. See References.
For Thunderbird:
Upgrade to the latest version (0.8 or later), available from the Mozilla Web site. See References.
For Slackware Linux:
Upgrade to the latest Mozilla package, as listed below. Refer to slackware-security Mailing List, Wed, 22 Sep 2004 13:39:12 -0700 (PDT) for more information. See References.
Slackware Linux 10 and -current: 1.7.3-i486-1 or later
References:
- BugTraq Mailing List, Mon Sep 13 2004 - 14:12:16 CDT: Insecure file permissions in the Firefox browser for Linux >= v0.9.
- Mozilla Bugzilla Bug 254303: 1.7.2 tar.gz package has wrong permissions.
- Mozilla Web site: Mozilla - Home of the Firefox web browser, Thunderbird and the Mozilla Suite.
- slackware-security Mailing List, Wed, 22 Sep 2004 13:39:12 -0700 (PDT): [slackware-security] Mozilla (SSA:2004-266-03).
- BID-11166: Mozilla Firefox XPInstall Default Installation File Permission Vulnerability
- CVE-2004-0907: The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code.
- GLSA-200409-26: Mozilla, Firefox, Thunderbird, Epiphany: New releases fix vulnerabilities
Platforms Affected:
- Gentoo Linux
- Mozilla Firefox 0.7
- Mozilla Firefox 0.8
- Mozilla Firefox 0.9 rc
- Mozilla Firefox 0.9
- Mozilla Firefox 0.9.1
- Mozilla Firefox 0.9.2
- Mozilla Firefox 0.9.3
- Mozilla Mozilla 0.9.2
- Mozilla Mozilla 1.0 rc1
- Mozilla Mozilla 1.0
- Mozilla Mozilla 1.0.1
- Mozilla Mozilla 1.0.2
- Mozilla Mozilla 1.1 Alpha
- Mozilla Mozilla 1.1 Beta
- Mozilla Mozilla 1.1
- Mozilla Mozilla 1.2 Beta
- Mozilla Mozilla 1.2 Alpha
- Mozilla Mozilla 1.2
- Mozilla Mozilla 1.2.1
- Mozilla Mozilla 1.3
- Mozilla Mozilla 1.3.1
- Mozilla Mozilla 1.4 Beta
- Mozilla Mozilla 1.4
- Mozilla Mozilla 1.4 Alpha
- Mozilla Mozilla 1.4.1
- Mozilla Mozilla 1.4.2
- Mozilla Mozilla 1.4.4
- Mozilla Mozilla 1.5 Alpha
- Mozilla Mozilla 1.5 rc1
- Mozilla Mozilla 1.5 rc2
- Mozilla Mozilla 1.5
- Mozilla Mozilla 1.5.1
- Mozilla Mozilla 1.6
- Mozilla Mozilla 1.6 Beta
- Mozilla Mozilla 1.6 Alpha
- Mozilla Mozilla 1.7
- Mozilla Mozilla 1.7 rc3
- Mozilla Mozilla 1.7 rc2
- Mozilla Mozilla 1.7 rc1
- Mozilla Mozilla 1.7 Beta
- Mozilla Mozilla 1.7 Alpha
- Mozilla Mozilla 1.7.1
- Mozilla Mozilla 1.7.2
- Mozilla Thunderbird 0.1
- Mozilla Thunderbird 0.2
- Mozilla Thunderbird 0.3
- Mozilla Thunderbird 0.4
- Mozilla Thunderbird 0.5
- Mozilla Thunderbird 0.6
- Mozilla Thunderbird 0.7
- Mozilla Thunderbird 0.7.1
- Mozilla Thunderbird 0.7.2
- Mozilla Thunderbird 0.7.3
- Slackware Slackware Linux 10.0
- Slackware Slackware Linux current
Reported:
Sep 13, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net