Language Selection

English French German Italian Portuguese Spanish

Mozilla Linux Command Line URL Parsing Security Flaw Reported

Filed under
Moz/FF
Security

A critical input validation security vulnerability affecting Linux versions of Mozilla Firefox and the Mozilla Application Suite has been reported today. The flaw could allow an attacker to execute arbitrary commands on a victim's system. The bug exists in the Linux shell scripts that Firefox and the Mozilla Application Suite rely on to parse URLs supplied on the command line or by external programs. If the supplied URL contains any Linux commands enclosed in backticks, these will be executed before Firefox or the Mozilla Application Suite tries to open the URL. Variables such as $HOME will also be expanded.

While this flaw cannot be exploited solely from within Firefox or the Mozilla Application Suite itself, an attacker could take advantage of the vulnerability by tricking a victim into following a malicious link in an external program (say, an email client or instant messenging application) on a Linux system where Firefox or the Mozilla Application Suite is the default browser.

Full Article.

Upgrade.

More in Tux Machines

Fresh software from the 3.14 menu

If all goes according to plan, I'll be able to merge the aforementioned automatic rotation support into systemd/udev. The kernel API is pretty bad, which makes the user-space code look bad... The first parts of ebooks support in gnome-documents have already been written, scheduled for 3.16 Read more

Florida is back on the Map for Linux and Open Source conventions with FOSSETCON 2

In summary the event was a good investment in time and booth expenses spent. We were able to distribute and promote Fedora in a very positive manner. More importantly getting more information on the various spins offered on our website pointed out to many individuals that there are more available on the Fedora Project website.. As the event ended on the 13th, I had had a conversation with the event coordinator with the plus side and the down side of what was going on. Read more

Linux 3.17-rc6

It's been quiet - enough so that coupled with my upcoming travel, this might just be the last -rc, and final 3.17 might be next weekend. Of course, that still depends on what happens - if we have something scary coming up next week, I may have to delay things. But as it looks right now, we're all good to go. The shortlog is appended, but the view from ten thousand feet is pretty normal: a bit more than half is drivers (gpu, sound, iio, media, usb), just under a third is arch updates (arm, mips, x86), and the rest is mainly filesystem updates (gfs2, cifs, btrfs, nfs). Nothing particular stands out, and I'm not aware of any big pending issues either. So please go out and test, because this *should* all be pretty close to release. Read more

today's leftovers