Date: Mon, 10 Jun 2002 10:20:06 +0200
From: Tom <[email protected]>
To: [email protected]Subject: remote DoS in Mozilla 1.0
--PNTmBPCT7hxwcZjr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Author =20
=3D=3D=3D=3D=3D=3D
Tom Vogt <[email protected]>
http://web.lemuria.org/
Affected
=3D=3D=3D=3D=3D=3D=3D=3D
Mozilla 1.0 and earlier
verified on Linux and Solaris, other Unixes most likely affected as well.
Effect
=3D=3D=3D=3D=3D=3D
System becomes unuseable or X windows crashes=20
(varies depending on system configuration)
Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
When loading pages with a specially prepared (or erroneous) stylesheet,
mozilla and X windows (not restricted to XFree) exhibit any of two=20
undesireable behaviours. This seems to depend on the local system=20
configuration, especially to the presence of xfs, but bug reports so far
are inconclusive.
In one scenario, X simply crashes, taking everything with it. This will res=
ult
in the loss of unsaved work.
In scenario two, memory useage of the X server explodes until the machine
reaches the thrashing point, at which point only a hard kill (-9) of the
X server can save it, provided there are enough system resources left to
issue the kill.
Some systems see no crash, but random misbehaviour of X components that oft=
en
require a shutdown of the X server to fix. See the follow ups in bugzilla
for a full description of these various behaviours.
The bug is triggered by a huge font setting done through CSS. Depending on
the end user's system configuration, this will either trigger an abort in
the XFree86 code ("Beziers this large not supported") or cause an
explosive use of memory. It is unknown how much memory could get consumed,
but follow-ups to the mozilla bug verify that machines with 1 GB of
memory still reach the thrashing point.
Example
=3D=3D=3D=3D=3D=3D=3D
Include a huge font size in your style sheet definition, e.g.:
body { font-size: 1666666px; }
http://www.adeliesolutions.com/Projects/http://bugzilla.mozilla.org/attachment.cgi?id=3D87009&action=3Dview
Vendor Contact
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
filed as mozilla bug #150339
http://bugzilla.mozilla.org/show_bug.cgi?id=3D150339
Mozilla team scrambled immediately
also filed with the XFree86 team, no reaction so far
Solution/Patches
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
No patches have been issued so far, though the mozilla team appears to be
at work and a patch should be available soon.
Another solution would be turning off stylesheets. Mozilla does not have an
option for doing so in the preferences dialog, so this must be done either
in the preferences file manually, or by editing the source code. I have not
reviewed this option further.
Unchecking the "allow documents to use other fonts" button in preferences
does NOT provide a workaround.
Author Statement
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Aside from the fact that I don't believe in "responsible disclosure", this
is already public knowledge through bugzilla.
Kudos to the mozilla team for prompt and competent reactions.
--=20
New GPG Key issued (old key expired):
http://web.lemuria.org/pubkey.html
pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <[email protected]>
Key fingerprint =3D C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5
--PNTmBPCT7hxwcZjr
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE9BGE2vwGfoS16BPURAg/YAJ9roHWjfKYgC3nx3AokqEVjcz21FwCeLuLp
y/MCltMP0XjROUn/sd0B6TI=
=zTao
-----END PGP SIGNATURE-----
--PNTmBPCT7hxwcZjr--
