ISS X-Force Database: firefox-strokewidth-bo(32698): Mozilla Firefox stroke-width buffer overflow

Mozilla Firefox stroke-width buffer overflow

firefox-strokewidth-bo (32698)

High Risk

Description:

Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the _cairo_pen_init function. By creating a specially-crafted SVG file with a large stroke-width attribute in the clipPath element, a remote attacker could overflow a buffer and execute arbitrary code on the system, if the attacker could persuade the victim to view the malicious file.

Platforms Affected:

Canonical, Ubuntu 5.10
Canonical, Ubuntu 6.06 LTS
Canonical, Ubuntu 6.10
Gentoo, Linux
MandrakeSoft, Mandrake Linux 2007
MandrakeSoft, Mandrake Linux 2007 X86_64
MandrakeSoft, Mandrake Linux Corporate Server 3.0
MandrakeSoft, Mandrake Linux Corporate Server 3.0 X86_64
Mozilla, Firefox 1.0
Mozilla, Firefox 1.0.1
Mozilla, Firefox 1.0.2
Mozilla, Firefox 1.0.3
Mozilla, Firefox 1.0.4
Mozilla, Firefox 1.0.5
Mozilla, Firefox 1.0.6
Mozilla, Firefox 1.0.7
Mozilla, Firefox 1.0.8
Mozilla, Firefox 1.5 Beta2
Mozilla, Firefox 1.5
Mozilla, Firefox 1.5 Beta1
Mozilla, Firefox 1.5.0.1
Mozilla, Firefox 1.5.0.2
Mozilla, Firefox 1.5.0.3
Mozilla, Firefox 1.5.0.4
Mozilla, Firefox 1.5.0.5
Mozilla, Firefox 1.5.0.6
Mozilla, Firefox 1.5.0.7
Mozilla, Firefox 1.5.0.8
Mozilla, Firefox 1.5.0.9
Mozilla, Firefox 2.0 rc3
Mozilla, Firefox 2.0 Beta1
Mozilla, Firefox 2.0
Mozilla, Firefox 2.0 rc2
Mozilla, Firefox 2.0.0.1
Mozilla, SeaMonkey 1.0
Mozilla, SeaMonkey 1.0 Alpha
Mozilla, SeaMonkey 1.0 Beta
Mozilla, SeaMonkey 1.0.1
Mozilla, SeaMonkey 1.0.2
Mozilla, SeaMonkey 1.0.3
Mozilla, SeaMonkey 1.0.4
Mozilla, SeaMonkey 1.0.5
Mozilla, SeaMonkey 1.0.6
Mozilla, SeaMonkey 1.0.7
Mozilla, Thunderbird 1.0.3
Mozilla, Thunderbird 1.0.4
Mozilla, Thunderbird 1.0.5
Mozilla, Thunderbird 1.0.6
Mozilla, Thunderbird 1.0.7
Mozilla, Thunderbird 1.0.8
Mozilla, Thunderbird 1.5
Novell, Linux Desktop 9
Novell, Linux POS 9
Novell, Open Enterprise Server
Novell, Open Enterprise Server
Novell, OpenSUSE 10.2
Novell, UnitedLinux 1.0
SuSE, SuSE Linux 10.0
SuSE, SuSE Linux 10.1
SuSE, SuSE Linux 9.3
SuSE, SuSE Linux Enterprise Server 8.0
SuSE, SuSE Linux OpenExchange Server 4
SuSE, SuSE Linux Retail Solution 8
SuSE, SuSE Linux School Server
SuSE, SuSE Linux Standard Server 8
SuSE, SuSE SLED 10
SuSE, SuSE SLES 10
SuSE, SuSE SLES 9

Remedy:

Refer to MFSA 2007-01 for upgrade information. See References.

For Gentoo Linux:
Refer to GLSA 200703-04 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (SeaMonkey):
Refer to Gentoo Linux Security Announcement GLSA 200703-08 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-431-1 for patch, upgrade, or suggested workaround information. See References.

For Ubuntu Linux:
Refer to USN-428-2 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200703-18 for patch, upgrade, or suggested workaround information. See References.

For Mandriva Linux (Thunderbird):
Refer to MDKSA-2007:052 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux (Firefox):
Refer to SUSE-SA:2007:019 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux (Mozilla):
Refer to SUSE-SA:2007:022 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

MFSA 2007-01, Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2) at http://www.mozilla.org/security/announce/2007/mfsa2007-01.html.
Mozilla Bugzilla Bug 360645, Firefox 2.0 SVG "_cairo_pen_init" Heap Overflow at https://bugzilla.mozilla.org/show_bug.cgi?id=360645.
BID-22694: Mozilla Thunderbird/SeaMonkey/Firefox Multiple Remote Vulnerabilities
CVE-2007-0776: Heap-based buffer overflow in the _cairo_pen_init function in Mozilla Firefox 2.x before 2.0.0.2, Thunderbird before 1.5.0.10, and SeaMonkey before 1.0.8 allows remote attackers to execute arbitrary code via a large stroke-width attribute in the clipPath element in an SVG file.
FrSIRT/ADV-2007-0718: Mozilla Products Multiple Remote Code Execution and Security Bypass Vulnerabilities
FrSIRT/ADV-2007-0719: Mozilla Thunderbird Multiple Command Execution and Denial of Service Vulnerabilities
FrSIRT/ADV-2008-0083: HP-UX Security Update Fixes Firefox Command Execution Vulnerabilities
GLSA-200703-04: Mozilla Firefox: Multiple vulnerabilities
GLSA-200703-08: SeaMonkey: Multiple vulnerabilities
GLSA-200703-18: Mozilla Thunderbird: Multiple vulnerabilities
MDKSA-2007:052: Updated Thunderbird packages fix multiple vulnerabilities
OSVDB ID: 32113: Mozilla Firefox SVG _cairo_pen_init Heap Overflow
SA24205: Mozilla Firefox Multiple Vulnerabilities
SA24238: Mozilla SeaMonkey Multiple Vulnerabilities
SA24252: Mozilla Thunderbird Multiple Vulnerabilities
SECTRACK ID: 1017698: Mozilla Firefox Memory Corruption in Layout Engine, SVG, and Javascript Engine May Let Remote Users Execute Arbitrary Code
SUSE-SA:2007:019: MozillaFirefox security update 1.5.0.10/2.0.0.2
SUSE-SA:2007:022: Mozilla security problems
US-CERT VU#551436: Mozilla Firefox SVG viewer vulnerable to integer overflow
USN-428-1: Firefox vulnerabilities
USN-428-2: Firefox regression
USN-431-1: Thunderbird vulnerabilities

Reported:

Feb 23, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page