Mozilla InstallVersion.compareTo() denial of service

mozilla-installversioncompareto-dos (21409)

Low Risk

Description:

Mozilla Firefox is vulnerable to a denial of service. A remote attacker could create a specially-crafted object that is passed to the InstallVersion.compareTo() that could cause a denial of service or possibly be used to execute arbitrary code.

Consequences:

Denial of Service

Remedy:

For Mozilla Firefox:
Upgrade to the latest version of Mozilla Firefox (1.0.5 or later), available from the Firefox Web page. See References.

For Mozilla:
Upgrade to the latest version of Mozilla Suite (1.7.9 or later), available from the Mozilla Suite Web page. See References.

For SUSE Linux:
Upgrade to the latest mozilla, as listed below. Refer to SUSE Security Announcement SUSE-SA:2005:045 for more information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:022 for patch, upgrade, or suggested workaround information. See References.

x86:
SUSE Linux 9.2 and 9.3: 1.0.6-4.1 or later
SUSE Linux 9.1: 1.0.6-4.2 or later
SUSE Linux 9.0: 1.0.6-2 or later
SUSE Linux 8.2: 1.7.8-19 or later

x86-64 Platform:
SUSE Linux 9.3: 1.7.5-17.5 or later
SUSE Linux 9.2: 1.0.6-4.1 or later
SUSE Linux 9.1: 1.0.6-4.2 or later
SUSE Linux 9.0: 1.0.6-2 or later

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Mozilla-Firefox (1.0.4-2sarge1 or later), as listed in DSA-775-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest version of Mozilla-Firefox (1.0.4-2sarge3 or later), as listed in DSA-779-2 . See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest versions of Mozilla (1.7.8-1sarge1 or later), as listed in DSA-777-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest versions of Mozilla (1.7.8-1sarge2 or later), as listed in DSA-810-1. See References.

For Red Hat Linux (Firefox):
Refer to RHSA-2005:586-11 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (Mozilla):
Refer to RHSA-2005:587-11 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-149-1, USN-149-2, USN-149-3, USN-155-1 and USN-157-1 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• CIAC INFORMATION BULLETIN P-251: Mozilla Security Updates.
• CIAC INFORMATION BULLETIN P-252: Firefox Security Updates.
• MFSA 2005-50: Possibly exploitable crash in InstallVersion.compareTo.
• Mozilla Firefox Download Web page: Firefox - Rediscover the web.
• Mozilla Suite Web page: Mozilla Suite- The All-in-One Internet Application Suite.
• SGI Security Advisory 20050802-01-U: SGI Advanced Linux Environment 3 Security Update #45.
• BID-14242: Mozilla Suite, Firefox And Thunderbird Multiple Vulnerabilities
• BID-15495: SCO OpenServer Release 5.0.7 Maintenance Pack 4 Released - Multiple Vulnerabilities Fixed
• CVE-2005-2265: Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.
• DSA-775: mozilla-firefox -- frame injection spoofing
• DSA-777: mozilla -- frame injection spoofing
• DSA-779: mozilla-firefox -- several vulnerabilities
• DSA-781: mozilla-thunderbird -- several vulnerabilities
• DSA-810: mozilla -- several vulnerabilities
• GLSA-200407-15: Opera: Multiple spoofing vulnerabilities
• GLSA-200507-14: Mozilla Firefox: Multiple vulnerabilities
• MDKSA-2005:120: Updated mozilla-firefox packages fix multiple vulnerabilities
• MDKSA-2005:120-1: Updated mozilla-firefox packages fix multiple vulnerabilities
• MDKSA-2005:127: Updated mozilla-thunderbird packages fix multiple vulnerabilities
• MDKSA-2005:127-1: Updated mozilla-thunderbird packages fix multiple vulnerabilities
• MDKSA-2005:128: Updated mozilla packages fix multiple vulnerabilities
• RHSA-2004-421: mozilla security update
• RHSA-2005-586: firefox security update
• RHSA-2005-587: mozilla security update
• RHSA-2005-601: thunderbird security update
• SA11978: Multiple Browsers Frame Injection Vulnerability
• SA15601: Mozilla / Mozilla Firefox Frame Injection Vulnerability
• SA16043: Firefox Multiple Vulnerabilities
• SA16044: Netscape Multiple Vulnerabilities
• SA16059: Mozilla Multiple Vulnerabilities
• SUSE-SA:2004:030: apache2: remote DoS condition
• SUSE-SA:2004:031: cups: remote code execution
• SUSE-SA:2004:032: apache2: remote denial-of-service
• SUSE-SA:2004:033: gtk2 gdk-pixbuf: remote code execution
• SUSE-SA:2004:034: XFree86-libs xshared: remote command execution
• SUSE-SA:2004:035: samba: remote file disclosure
• SUSE-SA:2004:036: mozilla: various vulnerabilities
• SUSE-SA:2005:045: mozilla MozillaFirefox epiphany galeon: information leak
• SUSE-SA:2006:022: MozillaThunderbird various problems
• USN-149-1: Firefox vulnerabilities
• USN-149-2: Fixed Firefox packages for USN-149-1
• USN-149-3: Ubuntu 4.10 update for Firefox vulnerabilities
• USN-155-1: Mozilla vulnerabilities
• USN-155-2: Updated Epiphany packages to match Mozilla security update
• USN-155-3: Fixed mozilla locale packages
• USN-157-1: Mozilla Thunderbird vulnerabilities
• USN-157-2: Updated Mozilla Thunderbird Enigmail plugin for Ubuntu 4.10
• VUPEN/ADV-2005-1075: Mozilla Suite and Firefox Multiple Code Execution Vulnerabilities

Platforms Affected:

• Canonical Ubuntu 4.10
• Canonical Ubuntu 5.04
• Debian Debian Linux 3.1
• MandrakeSoft Mandrake Linux 10.1 X86_64
• MandrakeSoft Mandrake Linux 10.1
• MandrakeSoft Mandrake Linux LE2005 X86_64
• MandrakeSoft Mandrake Linux LE2005
• MandrakeSoft Mandrake Linux Corporate Server 3.0 X86_64
• MandrakeSoft Mandrake Linux Corporate Server 3.0
• Mozilla Firefox 0.10
• Mozilla Firefox 0.10.1
• Mozilla Firefox 0.8
• Mozilla Firefox 0.9 rc
• Mozilla Firefox 0.9
• Mozilla Firefox 0.9.1
• Mozilla Firefox 0.9.2
• Mozilla Firefox 0.9.3
• Mozilla Firefox 1.0
• Mozilla Firefox 1.0.1
• Mozilla Firefox 1.0.2
• Mozilla Firefox 1.0.3
• Mozilla Firefox 1.0.4
• Mozilla Mozilla 1.3
• Mozilla Mozilla 1.4
• Mozilla Mozilla 1.4 Alpha
• Mozilla Mozilla 1.4.1
• Mozilla Mozilla 1.5
• Mozilla Mozilla 1.5 rc1
• Mozilla Mozilla 1.5 Alpha
• Mozilla Mozilla 1.5 rc2
• Mozilla Mozilla 1.5.1
• Mozilla Mozilla 1.6
• Mozilla Mozilla 1.6 Beta
• Mozilla Mozilla 1.6 Alpha
• Mozilla Mozilla 1.7 rc3
• Mozilla Mozilla 1.7
• Mozilla Mozilla 1.7 rc2
• Mozilla Mozilla 1.7 rc1
• Mozilla Mozilla 1.7 Beta
• Mozilla Mozilla 1.7 Alpha
• Mozilla Mozilla 1.7.1
• Mozilla Mozilla 1.7.2
• Mozilla Mozilla 1.7.3
• Mozilla Mozilla 1.7.5
• Mozilla Mozilla 1.7.6
• Mozilla Mozilla 1.7.7
• Mozilla Mozilla 1.7.8
• Novell Linux Desktop 9
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 3 ES
• RedHat Enterprise Linux 3 WS
• RedHat Enterprise Linux 3 AS
• RedHat Enterprise Linux 3 Desktop
• RedHat Enterprise Linux 4 AS
• RedHat Enterprise Linux 4 Desktop
• RedHat Enterprise Linux 4 WS
• RedHat Enterprise Linux 4 ES
• RedHat Linux Advanced Workstation 2.1 Itanium
• SuSE Linux Enterprise Server 8
• SuSE Linux Enterprise Server 9
• SUSE SuSE Linux 10.0
• SUSE SuSE Linux 8.1
• SUSE SuSE Linux 8.2
• SUSE SuSE Linux 9.0
• SUSE SuSE Linux 9.1
• SUSE SuSE Linux 9.2
• SUSE SuSE Linux 9.3
• SuSE SuSE Linux Desktop 1.0
• SuSE SuSE SLES 9

Reported:

Jul 12, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page