Mozilla XPInstall insecure file permissions

mozilla-insecure-file-permissions (17375)

High Risk

Description:

Mozilla versions prior to 1.7.3, Firefox versions prior to 1.0PR and Thunderbird versions prior to 0.8 running on Linux platforms could allow a local attacker to gain elevated privileges. XPInstall fails to recognize the user's umask when installing certain files and creates the files with group and world writable permissions. This could allow a local attacker to overwrite or corrupt sensitive files, and possibly execute arbitrary code on the system.

Platforms Affected:

• Gentoo, Linux
• Mozilla, Firefox 0.7
• Mozilla, Firefox 0.8
• Mozilla, Firefox 0.9 rc
• Mozilla, Firefox 0.9
• Mozilla, Firefox 0.9.1
• Mozilla, Firefox 0.9.2
• Mozilla, Firefox 0.9.3
• Mozilla, Mozilla 0.9.2
• Mozilla, Mozilla 1.0 rc1
• Mozilla, Mozilla 1.0
• Mozilla, Mozilla 1.0.1
• Mozilla, Mozilla 1.0.2
• Mozilla, Mozilla 1.1 Alpha
• Mozilla, Mozilla 1.1 Beta
• Mozilla, Mozilla 1.1
• Mozilla, Mozilla 1.2 Alpha
• Mozilla, Mozilla 1.2 Beta
• Mozilla, Mozilla 1.2
• Mozilla, Mozilla 1.2.1
• Mozilla, Mozilla 1.3
• Mozilla, Mozilla 1.3.1
• Mozilla, Mozilla 1.4 Beta
• Mozilla, Mozilla 1.4
• Mozilla, Mozilla 1.4 Alpha
• Mozilla, Mozilla 1.4.1
• Mozilla, Mozilla 1.4.2
• Mozilla, Mozilla 1.4.4
• Mozilla, Mozilla 1.5 Alpha
• Mozilla, Mozilla 1.5 rc1
• Mozilla, Mozilla 1.5 rc2
• Mozilla, Mozilla 1.5
• Mozilla, Mozilla 1.5.1
• Mozilla, Mozilla 1.6
• Mozilla, Mozilla 1.6 Beta
• Mozilla, Mozilla 1.6 Alpha
• Mozilla, Mozilla 1.7
• Mozilla, Mozilla 1.7 rc3
• Mozilla, Mozilla 1.7 rc2
• Mozilla, Mozilla 1.7 rc1
• Mozilla, Mozilla 1.7 Beta
• Mozilla, Mozilla 1.7 Alpha
• Mozilla, Mozilla 1.7.1
• Mozilla, Mozilla 1.7.2
• Mozilla, Thunderbird 0.1
• Mozilla, Thunderbird 0.2
• Mozilla, Thunderbird 0.3
• Mozilla, Thunderbird 0.4
• Mozilla, Thunderbird 0.5
• Mozilla, Thunderbird 0.6
• Mozilla, Thunderbird 0.7
• Mozilla, Thunderbird 0.7.1
• Mozilla, Thunderbird 0.7.2
• Mozilla, Thunderbird 0.7.3
• RedHat, Enterprise Linux 2.1 WS
• RedHat, Enterprise Linux 2.1 ES
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Enterprise Linux 3 ES
• RedHat, Enterprise Linux 3 AS
• RedHat, Enterprise Linux 3 Desktop
• RedHat, Enterprise Linux 3 WS
• RedHat, Linux Advanced Workstation 2.1 Itanium
• Slackware, Slackware Linux 10.0
• Slackware, Slackware Linux current
• SuSE, Linux Enterprise Server 8
• SuSE, SuSE Linux 9.0
• SuSE, SuSE Linux Desktop 1.0

Remedy:

For Mozilla:
Upgrade to the latest version (1.7.3 or later), available from the Mozilla Web site. See References.

For Firefox:
Upgrade to the latest version (1.0PR or later), available from the Mozilla Web site. See References.

For Thunderbird:
Upgrade to the latest version (0.8 or later), available from the Mozilla Web site. See References.

For Slackware Linux:
Upgrade to the latest Mozilla package, as listed below. Refer to slackware-security Mailing List, Wed, 22 Sep 2004 13:39:12 -0700 (PDT) for more information. See References.

Slackware Linux 10 and -current: 1.7.3-i486-1 or later

For Red Hat Linux (mozilla):
Refer to RHSA-2005:323-10 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Privileges

References:

• Mozilla Bugzilla Bug 231083, wrong file permissions after installation at http://bugzilla.mozilla.org/show_bug.cgi?id=231083.
• Mozilla Bugzilla Bug 235781, XPInstall ignores user's umask when installing files at http://bugzilla.mozilla.org/show_bug.cgi?id=235781.
• Mozilla Web site, Mozilla - Home of the Firefox web browser, Thunderbird and the Mozilla Suite at http://www.mozilla.org/.
• slackware-security Mailing List, Wed, 22 Sep 2004 13:39:12 -0700 (PDT), [slackware-security] Mozilla (SSA:2004-266-03) at http://slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.401801.
• BID-11192: Mozilla/Firefox Browsers Tar.GZ Archive Weak Permissions Vulnerability
• CVE-2004-0906: The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.
• GLSA-200409-26: Mozilla, Firefox, Thunderbird, Epiphany: New releases fix vulnerabilities
• RHSA-2005-323: mozilla security update
• SA12526: Mozilla Multiple Vulnerabilities
• SUSE-SA:2004:036: mozilla: various vulnerabilities
• US-CERT VU#653160: Mozilla Linux installer does not properly set file permissions

Reported:

Sep 14, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page