New security flaw

Discussion about official Mozilla Firefox builds
Elfguy
Posts: 309
Joined: June 27th, 2005, 5:56 pm
Contact:

New security flaw

Post by Elfguy »

http://news.com.com/Unpatched+Firefox+f ... g=nefd.top

Anyone care to investigate the bugs he filled?
User avatar
wget
Posts: 4701
Joined: November 8th, 2002, 9:51 am
Location: Denmark

Post by wget »

chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the
angrypacket krew.

What a noble whitehat. :roll:
To the cast and crew of Arrested Development: Thanks for the many great laughs.
Jimbob0i0
Posts: 422
Joined: May 4th, 2005, 1:19 am

Post by Jimbob0i0 »

Well I decided to test this against Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 ID:2005090806 and the result was......

No crash
User avatar
AmboyGuy
Posts: 3304
Joined: July 6th, 2004, 9:19 am

<A HREF=https:-------------------------------------------

Post by AmboyGuy »

sp-x17 security advisory

It crashes Build ID: 2005090806
Last edited by AmboyGuy on September 9th, 2005, 8:45 am, edited 3 times in total.
Mozilla/5.0 (Ubuntu; X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 ID:20111228084953
IceDogg
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post by IceDogg »

I would like more info on this as well. Is the 1.5 Beta free of this bug or not?
Elfguy
Posts: 309
Joined: June 27th, 2005, 5:56 pm
Contact:

Post by Elfguy »

So far no one can reproduce his bug it would seem. Would help if we could locate his bugzilla entries, but so far it seems like a nonissue.
User avatar
polidobj
Posts: 3147
Joined: March 31st, 2004, 9:10 am
Location: Maryland USA - im in ur tinderbox, crashtesting ur firefox

Post by polidobj »

This is still in all Firefox builds. Both this morning's nightly builds (trunk and branch) crash. Here's the URL:
www.security-protocols.com/firefox-death.html
Brian J Polidoro - Today's bugs brought to you by Raid. :P
Windows7 - Firefox user since ~Feb 2002
User avatar
softexpert
Posts: 117
Joined: March 27th, 2003, 3:21 pm

Post by softexpert »

I saved the html file on a local folder and IT DOES WHAT IT CLAIMS !!!
Tried to open the file from local or from the net, the result is the same: Firefox locks!

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050909 Firefox/1.4 - Build ID: 2005090900
old np
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by old np »

User avatar
polidobj
Posts: 3147
Joined: March 31st, 2004, 9:10 am
Location: Maryland USA - im in ur tinderbox, crashtesting ur firefox

Post by polidobj »

softexpert wrote:I saved the html file on a local folder and IT DOES WHAT IT CLAIMS !!!
Tried to open the file from local or from the net, the result is the same: Firefox locks!

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050909 Firefox/1.4 - Build ID: 2005090900

Saving locally doesn't have any effect for me. Only the URL shows the problem.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050909 Firefox/1.4 ID:2005090906
Brian J Polidoro - Today's bugs brought to you by Raid. :P
Windows7 - Firefox user since ~Feb 2002
chazm
Posts: 103
Joined: June 23rd, 2005, 4:41 pm
Location: Wisconsin, USA

Post by chazm »

It has no effect here at all. I end up going to Google.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050909 Firefox/1.4 ID:2005090906
Most Intelligent Consumers Realize Our Software Only Fools Toddlers since it Will Install Needless Data On Whole System making it a Very Insecure System To Anyone!
TheOneKEA
Posts: 4864
Joined: October 16th, 2003, 5:47 am
Location: Somewhere in London, riding the Underground

Post by TheOneKEA »

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 ID:2005090805

I can't make this build crash.
Proud user of teh Fox of Fire
Registered Linux User #289618
IceDogg
Posts: 657
Joined: July 24th, 2004, 11:26 am

Post by IceDogg »

polidobj wrote:This is still in all Firefox builds. Both this morning's nightly builds (trunk and branch) crash. Here's the URL:
www.security-protocols.com/firefox-death.html


It crashed here. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050908 Firefox/1.4 ID:2005090806
User avatar
AmboyGuy
Posts: 3304
Joined: July 6th, 2004, 9:19 am

Post by AmboyGuy »

TheOneKEA: Is your network.enableIDN = false ?

My system had a delayed reaction at first (opening a new tab crashed it)
and then after restarting and doing it again ( http://www.security-protocols.com/firefox-death.html )
it crashed imediately 090806 build.

I updated to today's build (which also crashes) & with the disabled IDN, no crash.
I disabled IDN in my user.js as a precaution.

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8b4) Gecko/20050909
Firefox/1.4 - Build ID: 2005090906
Last edited by AmboyGuy on September 9th, 2005, 9:44 am, edited 1 time in total.
Mozilla/5.0 (Ubuntu; X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 ID:20111228084953
Elfguy
Posts: 309
Joined: June 27th, 2005, 5:56 pm
Contact:

Post by Elfguy »

Workaround: Disable IDN support (toggle network.enableIDN in about:config).
Locked