General : 
          K-Meleon Web Browser Forum
        
        General discussion about K-Meleon. Questions about how to setup it, macro coding, all related to its usage and the project itself, including this website. 
      
  
  
  
  
    
     
      
        Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Carlos
          
         
      Date: March 27, 2005 02:00PM
      
 I would like to know whether or not  K-Meleon is vulnerable as Firefox 1.0.1 to recent 3 flaws found out by  Internet Security Systems (ISS), wich lead Mozilla to release 1.0.2 "critical update".
TIA
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Fast Sjonny
          
         
      Date: March 27, 2005 02:23PM
      
 Isn't it an option to make a KM browser which depends on Firefox?
What I mean is that you have to have Firefox installed and KM is using it's engine then.
This way it is easy to update to the latest Gecko/ Firefox and in fact you could use the latest trunk as engine.
I am asking because on Linux platforms you see the same. You have to have Mozilla Suite installed to use some other high-speed alternatives....
I know it is nicer to have a stand-alone browser, not depending on other software.
But may be it can be an extra package for the 'bleading edge' of Gecko and to be sure you are not using software which is possibly vulnerable....
Jan.
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            ndebord
          
         
      Date: March 27, 2005 03:23PM
      
 Anyone,
 I don't think K-Meleon is vulnerable to the first two, not sure about the third security issue mentioned by Secunia. In any event, I'm not the expert here, so someone else should jump in on this one.
1) An error in the restriction of privileged XUL files can e.g. be exploited to open a local privileged XUL file by tricking a user into dragging a faked scrollbar.
Aside from Aggreg8, K-Meleon uses macros, not XUL.
2) A web site added as a sidebar panel can load privileged content, which can be exploited to execute arbitrary programs by injecting JavaScript into a privileged URL.
K-Meleon doesn't use the sidebar component used in FireFox and Mozilla Suite.
3) A boundary error in the GIF image processing of Netscape extension 2 blocks can be exploited to cause a heap-based buffer overflow via a specially crafted image.
Don't have a clue here. Anyone?
N
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 28, 2005 05:57AM
      
 @N - agree with You on 1& 2 // 
3? => i think they can make specially prepared pic to crash many current programs.
(e.g huge pic in one color that is sort of zipped - if software does not check how big pic becomes after unzipping then PC runs out of memory - specially when OS does not reserve a rest for continued running /e. g. dos based windowses). 
To check whether k-m has a insecurity? 
i would look whether it hangs in limbo MSIE style or says this program has made error (the later is "politically" correct) and shuts down. 
The later i consider sort of secure - it can be crashed but not exploited.
@Jan - i agree: would be nice if k-m core could like sylera or networker work with all new GRE. That way  we would only have to secure our part of code and not bother with GRE which we get supplied any way.
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            fast sjonny
          
         
      Date: March 28, 2005 09:09AM
      
 Hi Guenter,
The problem with KM at this moment is that a real development team is missing, the Gecko engine is getting more populair in high tempo with all the security issues which is belonging to such a process and the Mozilla crew is taking large steps forward now in the development process of FF/ TB.
With a small team I think it is not easy to keep KM up to date with the latest security fixes and Gecko improvements included.
On the ftp-directory of Moz. is also a separate Gecko available. May be that could be used to make this step? 
Greetings from Holland,
Jan.
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 
      
      Posted by:
        
          
            Carlos
          
         
      Date: March 28, 2005 10:35AM
      
 Here the description of "gif flaw" and its workaround ( turn off image display )
Mozilla Foundation Security Advisory 2005-30
Title: GIF heap overflow parsing Netscape extension 2
Severity: Critical
Risk: High
Reporter: Mark Dowd (ISS X-Force)
Products: Firefox, Thunderbird, Mozilla Suite
Fixed in: Firefox 1.0.2
 Thunderbird 1.0.2
 Mozilla Suite 1.7.6
Description
An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.
Workaround
Turn off image display. Upgrade to the fixed version.
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 28, 2005 12:24PM
      
 @hi Jan - i did not test standart 0.9 (i assume that would work too) - but i know that HAOs static runs with almost all 1.7.x GRE : o ))
the time consuming problem is fixing things/problems with slight chrome alterations. 
I am working on/experimenting with a chrome hack that will permit use of FF chrome.
(sort of working... but with some about: are not... the usual messy lengthy story).
Hao looks into k-m source code. (but also has other urgent work)
@hi Carlos, copying the needed files into a fixed mozilla (that is extracted from zip file not exe installer) -(else use GRE which is installed in Mozilla aplications = make a copy to other location) - will run k-m with fixes in GRE (if the fixes are in GRE) - 
You would use k-m chrome,  kplugins, defaults and skins plus k-m exe.
p. s. And naturally some luck - k-meleon is not always and sometimes not with everything working/starting on that - see my re for jan - ; o ) 
(& if the Mozilla fixes are in chrome = tough luck).
@all greetings
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Penang
          
         
      Date: March 29, 2005 05:32AM
       Can someone point me to the mozilla ftp site where I can pure gecko builds ? On 
ftp://ftp.mozilla.org/pub/mozilla.org I don't see any "gecko" listing anywhere.
Thanks !!
 
  
    
  
  
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 29, 2005 01:13PM
      
 i was wrong about second url - only 1.8.b2 zip there - sorry
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Fast Sjonny
          
         
      Date: March 29, 2005 03:12PM
      
 I can be wrong ofcourse but I think the second link is also right.
In the trunkdirectory are also three compressed packages for the Gecko's
Jan
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            ra
          
         
      Date: March 29, 2005 06:23PM
      
 There are Gecko *SDK*s. I'm not sure if Penang was after a software development kit? There's no "Gecko, only" download as far as I know.
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Fast Sjonny
          
         
      Date: March 29, 2005 09:07PM
      
 Hi Ra,
You are right, that's it. Sorry ;-))
But.... when I am making builds for Linux, in the directory where the new build is made, also the Gecko is build as far as I know. So I think this is the same when you are making a Mozilla build under Windows. That could be the solution then....
Jan
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 30, 2005 04:59AM
      
 after a zipped 1.7.6? because that is easiest to change to a 1.7.6 GRE updated k-m?
but there is only a 1.8.x as far is i found in that directory that is what i ment.
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Fred
          
         
      Date: March 30, 2005 05:35AM
       Mozilla 1.7.6 zipped is in
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.6/
and Mozilla 1.8b1 zipped in
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.8b1/
K-Meleon from Hao's 019PR1 works in Mozilla 1.7.6. 
To get a history.txt, I copied the file compreg.dat from  
the 019PR1 build over to Mozilla's components directory.
In Mozilla 1.8b1 it only worked with Hao's K-MeleonCFFexpress(18)
and additionally the two files from VisualC++.
The history is in chrome://communicator/content/history/history.xul .
I made a macro for it.
The bug when right-click on buttons was also there. "Search" has to 
be put on left click in toolbars.cfg, using the rebarmenu, as well as 
other right-click features. 
This really is a new possibility instead of constant k-meleon updates.
Fred
 
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Fred
          
         
      Date: March 30, 2005 06:14AM
      
 A little correction: I tried  Mozilla 1.7.6 with Hao's 019PR3 .
K-meleon.exe, chrome, defaults, skins, and compreg.dat from
components.
Fred
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 30, 2005 10:20AM
      
 thx for locating them Fred!
IMHO almost all 1.7.5 k-m will start with any 1.7.x GRE. 
I tried with Ulf-standart 0.9, those from Hao that Fred mentions, Hao´s stastic made from FF sources, Clickfishs Germann issue which is also compiled from FF sources and says he is 1.7.6 in the credits - Rumpels German  which is possibly a resource hacked Ulf-standart. There are some other test releases  based on 0.8.2 which i have tried with 1.7.1 activeX control a long time ago. 
Others builds will start with 1.8.b2 GRE among that some of Haos test builds, Dorians early non statice builds, some test builds from Ulf. 
Chromes: not all work well - FF chromes have become as small like k-m´s when zipped into compressed jar´s. The Chromes still look like a time consuming poblem to me. There are automated processes but they seem not to always lead to success (and i do not know how to get automisation working).
IMHO comreg.dat and xpti.dat are created by the browser 
- when they are deleted they will be re-created.
my standart procedure is deleting - so that k-m must rewrite them.
I think this depends on whether they use the same libraries. (?)
I do not know whether regxpcom.exe can be used afterwards?
reason why i would like to know - some exe fail and say they are missing 
xpcom exports - AFAIK  there is a way to register and unregister these components. I do not know when and how it can be done?
I have been looking into Re-cycling k-m.exes since way back last year. Our few dev spent much time to prevent regration and have to alter tiny things - which comes from tiny alterations in Mozilla sources. It would be nice to be more independent of that so that especially Ulf could spent more time to hack on the k-m core. 
If other people that are less accomplished than our devs could do the security updates - we could have security fixed on holes from GRE sooner. 
My opinionated opinion ; o ))
kind regards
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Fred
          
         
      Date: March 30, 2005 12:26PM
      
 Thank you, Guenter, for testing the different versions !
If one of these should be planned for downloading, it would be
necessary to eliminate the useless files, to make downloads
smaller. That could be a bit tedious. But the idea is worth to be
considerated. 
Regards Fred
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 30, 2005 12:51PM
      
 
Yes i agree: would be nice to have them packaged like that 
- but not really vital // not all are as curious/nosy as me.
Most here have a 0.9 and that is sufficiant
I took the files from my old installs (like Carson & several others i keep them) - the only thing needed is a browser only install of Mozilla (or the full zip that You located - You can do more with that) into which chrome// defaults/menus etc. //kplugins //skins are copied.
Since Ulf´s standart k-m0.9 work fine with this install - every body that has a 0.9  (or a fairly recent test k-m) will be able to upgrade to a new 1.7.x GRE (or 1.8.x depending on which issue a k-m.exe is build). 
The Mozilla stuff can stay inside this new updated k-m, You can even use 
Mozilla.exe  or have several k-m.exe with (differnt names) for test purposes running from inside this directory. 
the only ticklish part is to get k-m menus working since the 
needed defaults locations can vary. 
geetings to the mountains from boring flat Hannover, guenter
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            informer
          
         
      Date: March 30, 2005 08:25PM
       just an info-link for the german speaking ppl inhere (particular slightly OT, but nvm):
http://www.heise.de/security/artikel/55576 
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: March 31, 2005 04:27AM
      
 no informer - in general forum we diskuss what we like nothing OT here.
ne informer - in general forum diskutieren wir, was wir wollen, nix ist hier OT.
greetings from heise town hannover
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        K-Meleon 0.9 update to Gecko 1.7.6 download 
      
      Posted by:
        
          
            guenter
          
         
      Date: April 01, 2005 05:43AM
       No guarantee that it will work or serves any purpose 
other than steeling Your download time, 
click free download at the bottom
then wait and click download file.
http://rapidshare.de/files/1085213/km0.9_gre1.7.6.exe.html
thx to Mozilla 4 GRE, 
K-M devs Ulf, jsnj, Andrew, Al, other dev supporters & beta testers 4 k-m0.9,
Jan for skin & Eyes-Only 4 throbber - and many others that i do not remember by heart (senior moments ; o ) - greetings
p. s. for all those that lack time to make update to 1.7.6 themselves.
I did not have time to update chrome - tested under win-xp and ME.
 
  
    
  
  
    
     
      
        k-m 0.9 to update GRE 1.7.6 
      
      Posted by:
        
          
            guenter
          
         
      Date: April 01, 2005 06:06AM
       no warranty - again i thank the k-m dev crew 4 creating 0.9
http://home.htp-tel.de/sterntaler/k_m0.9_4_GRE1.7.x.exe
that is  k-m part that is needed to update a GRE 1.7.6 downloaded from Mozilla.org
(maybe You have or get a new Thunderbird or Mozilla?).
The file is only 1.3 mb. You should make a backup of the GRE that You want to update (this may not work with all GRE - but should work with all win32 GRE 1.7.6 
that have been compiled with the same compiler as Ulf has used)
GRE are either in Mozilla folder or subsequent Location at Your local harddisk
../Program file/common files/mozilla.org/GRE 
(or something similar - since here the folder and path have German names).
1.3 mb was just small enough to fit on my small home page - which already 
contains some java (lake) applets. greetings
 
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: April 01, 2005 06:37AM
      
 just found bug in my english skin.
layer button look like:
Layer/Window Buttons{
	New{
	%ifplugin macros & layers
	macros(New)|New
	New Page. Right-click for more options.
	%else
	%ifplugin layers
	layers(Open)|New
	New Layer. Right-click for more options.
	%else
	ID_NEW_BROWSER
	New Window
	%endif
	%endif
	toolhot.bmp[41]
	}
	Close{
	%ifplugin layers
	layers(Close)|CloseButton
	Close Layer. Right-click for more options.
	%else
	ID_FILE_CLOSE|Close
	Close Window
	%endif
	toolhot.bmp[42]
	}
}
but it is harder to repair than to exchange skin to a new one by copying it into skin folder. sorry about bug (but i usually use a German version of it) greetz
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            Hao Jiang
          
         
      Date: April 01, 2005 08:41AM
      
 Great job! Guenter.  I think we can call this version as K-Meleon 0.91 since it is like a real update to the official 0.9 K-Meleon.  Thank you for your work. 
Hao
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            ndebord
          
         
      Date: April 01, 2005 03:57PM
      
 Guenter and Hao,
This looks very promising. Will have to read through the thread to figure out how to proceed before I try it out!
:-)
N
      
    
    
      
      
    
   
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: April 01, 2005 04:40PM
       This is a beta that sort of works so far (and based on tested components)
- and maybe it is a solution to the problem of security issues in GRE.
about Chrome folder:
I think this is experimental, since we (i) do not know - whether and how far chrome must be updated (that is the major point - i think ) and whether all things work.
 I remember that devs found lots of bugs and that they made several 0.9.
I also remember that we always had slight problems with little parts depending on chrome not working. 
about: Components folder:
Also If i have missed a js or xpt in components that are needed some things may not work properly (i tried to use a minimum of files - if i shared of one to many then something will not work : o ( .
about compiler etc:
I separated k-m part from GRE part. If both are from same Mozilla 
(and with same compiler // that is as far as i know) they will work together without looking for minor nr. (k-m works with GRE 1.7. 1 till 1.7.6 so far).
k-m part is on my home page & can be joined with any 1.7.x GRE so far.
about DLLs and GRE:
I wonder wether i shall also palce for download pre-prepared 1.7.6 GRE that can be placed into k-m folder and just unzipped for making update there? I have tested that as well and had no problems.
GRE 1.7.6 single at mozilla is at:
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.6/windows-xpi/
and called gre-win32-installer.zip
its install default is metioned above in thread but can be influenced.
about: the complete download - do not set it as default for the time beeing.
and do not install into k-m default position.
greetings
 
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: April 01, 2005 05:15PM
       first real bug found download manager does not open
fix: download & install: 
http://home.htp-tel.de/sterntaler/componets.exe 
into components folder. (this probably contains to many files - but i have to hand check them again and want that browser works untill then).
updated also: 
http://home.htp-tel.de/sterntaler/k_m0.9_4_GRE1.7.x.exe
which is 1.4 mb now and contains fix.
 
Bug remaining browser does not download xpi - which is probably done to a security fix by mozilla - Our browser is not prone to that - 
but at the moment i am chocked a little.
greetz
 
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            guenter
          
         
      Date: April 01, 2005 05:51PM
       Fixed known solutions to found 2 bugs into download and uploaded to:
http://rapidshare.de/files/1091946/km0.9_gre1.7.6.exe.html
again - No guarantee that this package of k-m will work 
or serves any purpose other than steeling Your download time,
click free download at the bottom then wait and click download file. 
going off key untill tomorrow. 
You can contact me by mail via my home page:
http://home.htp-tel.de/sterntaler/
where a script that kept me spam free will feed my mail addi to Your mail program.
 
  
    
  
  
    
     
      
        Re: Firefox 1.0.2 "critical update" and K-Meleon 
      
      Posted by:
        
          
            fast sjonny
          
         
      Date: April 02, 2005 08:56AM
      
 Nice work Guenter and Hao ;-))))))
Greetings from Holland,
Jan