Launchpad.net

CVE 2008-2933

Mozilla Firefox before 2.0.0.16, and 3.x before 3.0.1, interprets '|' (pipe) characters in a command-line URI as requests to open multiple tabs, which allows remote attackers to access chrome:i URIs, or read arbitrary local files via manipulations involving a series of URIs that is not entirely handled by a vector application, as exploited in conjunction with CVE-2008-2540. NOTE: this issue exists because of an insufficient fix for CVE-2005-2267.

Related bugs and status

CVE-2008-2933 (Candidate) is related to these bugs:

Bug #254618: Please update xulrunner to 1.8.1.16 version.

Summary				In	Importance	Status
	254618	Please update xulrunner to 1.8.1.16 version.		xulrunner (Ubuntu)	High	Fix Released
	254618	Please update xulrunner to 1.8.1.16 version.		xulrunner (Ubuntu Hardy)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.mozilla.org...
CONFIRM: https://bugzilla.mozil...
DEBIAN: DSA-1614
DEBIAN: DSA-1615
MANDRIVA: MDVSA-2008:148
REDHAT: RHSA-2008:0597
REDHAT: RHSA-2008:0598
UBUNTU: USN-623-1
CERT-VN: VU#130923
BID: 30242
SECTRACK: 1020500
SECUNIA: 31106
SECUNIA: 31120
SECUNIA: 31121
SECUNIA: 31129
SECUNIA: 31157
SECUNIA: 31145
SECUNIA: 31176
SECUNIA: 31183
CONFIRM: http://wiki.rpath.com/...
CONFIRM: https://issues.rpath.c...
GENTOO: GLSA-200808-03
UBUNTU: USN-626-1
UBUNTU: USN-626-2
SECUNIA: 31270
SECUNIA: 31261
SECUNIA: 31306
SECUNIA: 31377
DEBIAN: DSA-1697
SECUNIA: 33433
SUNALERT: 256408
SECUNIA: 34501
VUPEN: ADV-2009-0977
CONFIRM: http://www.novell.com/...
SLACKWARE: SSA:2008-198-01
XF: firefox-commandline-ur...
OVAL: oval:org.mitre.oval:de...
BUGTRAQ: 20080729 rPSA-2008-023...