I would like to know whether or not K-Meleon is vulnerable as Firefox 1.0.1 to recent 3 flaws found out by Internet Security Systems (ISS), wich lead Mozilla to release 1.0.2 "critical update".

TIA

Isn't it an option to make a KM browser which depends on Firefox?
What I mean is that you have to have Firefox installed and KM is using it's engine then.
This way it is easy to update to the latest Gecko/ Firefox and in fact you could use the latest trunk as engine.
I am asking because on Linux platforms you see the same. You have to have Mozilla Suite installed to use some other high-speed alternatives....

I know it is nicer to have a stand-alone browser, not depending on other software.
But may be it can be an extra package for the 'bleading edge' of Gecko and to be sure you are not using software which is possibly vulnerable....

Jan.

Anyone,

I don't think K-Meleon is vulnerable to the first two, not sure about the third security issue mentioned by Secunia. In any event, I'm not the expert here, so someone else should jump in on this one.

1) An error in the restriction of privileged XUL files can e.g. be exploited to open a local privileged XUL file by tricking a user into dragging a faked scrollbar.

Aside from Aggreg8, K-Meleon uses macros, not XUL.

2) A web site added as a sidebar panel can load privileged content, which can be exploited to execute arbitrary programs by injecting JavaScript into a privileged URL.

K-Meleon doesn't use the sidebar component used in FireFox and Mozilla Suite.

3) A boundary error in the GIF image processing of Netscape extension 2 blocks can be exploited to cause a heap-based buffer overflow via a specially crafted image.

Don't have a clue here. Anyone?

N

@N - agree with You on 1& 2 //
3? => i think they can make specially prepared pic to crash many current programs.
(e.g huge pic in one color that is sort of zipped - if software does not check how big pic becomes after unzipping then PC runs out of memory - specially when OS does not reserve a rest for continued running /e. g. dos based windowses).
To check whether k-m has a insecurity?
i would look whether it hangs in limbo MSIE style or says this program has made error (the later is "politically" correct) and shuts down.

The later i consider sort of secure - it can be crashed but not exploited.

@Jan - i agree: would be nice if k-m core could like sylera or networker work with all new GRE. That way we would only have to secure our part of code and not bother with GRE which we get supplied any way.

Hi Guenter,

The problem with KM at this moment is that a real development team is missing, the Gecko engine is getting more populair in high tempo with all the security issues which is belonging to such a process and the Mozilla crew is taking large steps forward now in the development process of FF/ TB.

With a small team I think it is not easy to keep KM up to date with the latest security fixes and Gecko improvements included.

On the ftp-directory of Moz. is also a separate Gecko available. May be that could be used to make this step?

Greetings from Holland,
Jan.

Here the description of "gif flaw" and its workaround ( turn off image display )

Mozilla Foundation Security Advisory 2005-30
Title: GIF heap overflow parsing Netscape extension 2
Severity: Critical
Risk: High
Reporter: Mark Dowd (ISS X-Force)
Products: Firefox, Thunderbird, Mozilla Suite

Fixed in: Firefox 1.0.2
Thunderbird 1.0.2
Mozilla Suite 1.7.6

Description

An GIF processing error when parsing the obsolete Netscape extension 2 can lead to an exploitable heap overrun, allowing an attacker to run arbitrary code on the user's machine.

Workaround
Turn off image display. Upgrade to the fixed version.

@hi Jan - i did not test standart 0.9 (i assume that would work too) - but i know that HAOs static runs with almost all 1.7.x GRE : o ))

the time consuming problem is fixing things/problems with slight chrome alterations.

I am working on/experimenting with a chrome hack that will permit use of FF chrome.
(sort of working... but with some about: are not... the usual messy lengthy story).
Hao looks into k-m source code. (but also has other urgent work)

@hi Carlos, copying the needed files into a fixed mozilla (that is extracted from zip file not exe installer) -(else use GRE which is installed in Mozilla aplications = make a copy to other location) - will run k-m with fixes in GRE (if the fixes are in GRE) -

You would use k-m chrome, kplugins, defaults and skins plus k-m exe.

p. s. And naturally some luck - k-meleon is not always and sometimes not with everything working/starting on that - see my re for jan - ; o )
(& if the Mozilla fixes are in chrome = tough luck).

@all greetings

Can someone point me to the mozilla ftp site where I can pure gecko builds ? On ftp://ftp.mozilla.org/pub/mozilla.org I don't see any "gecko" listing anywhere.

Thanks !!

http://www.mozilla.org/products/mozilla1.x/ (for 1.7.6 and 1.8.x versions)

from there You can also go to nightlies

http://ftp.mozilla.org/pub/mozilla.org/mozilla/nightly/latest-trunk/

there can likely get latest 1.7.6 ... zips and exes.
greetings

i was wrong about second url - only 1.8.b2 zip there - sorry

I can be wrong ofcourse but I think the second link is also right.
In the trunkdirectory are also three compressed packages for the Gecko's

Jan

There are Gecko *SDK*s. I'm not sure if Penang was after a software development kit? There's no "Gecko, only" download as far as I know.

Hi Ra,

You are right, that's it. Sorry ;-))

But.... when I am making builds for Linux, in the directory where the new build is made, also the Gecko is build as far as I know. So I think this is the same when you are making a Mozilla build under Windows. That could be the solution then....

Jan

after a zipped 1.7.6? because that is easiest to change to a 1.7.6 GRE updated k-m?
but there is only a 1.8.x as far is i found in that directory that is what i ment.

Mozilla 1.7.6 zipped is in
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.6/
and Mozilla 1.8b1 zipped in
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.8b1/

K-Meleon from Hao's 019PR1 works in Mozilla 1.7.6.
To get a history.txt, I copied the file compreg.dat from
the 019PR1 build over to Mozilla's components directory.

In Mozilla 1.8b1 it only worked with Hao's K-MeleonCFFexpress(18)
and additionally the two files from VisualC++.
The history is in chrome://communicator/content/history/history.xul .
I made a macro for it.
The bug when right-click on buttons was also there. "Search" has to
be put on left click in toolbars.cfg, using the rebarmenu, as well as
other right-click features.

This really is a new possibility instead of constant k-meleon updates.

Fred

A little correction: I tried Mozilla 1.7.6 with Hao's 019PR3 .
K-meleon.exe, chrome, defaults, skins, and compreg.dat from
components.

Fred

thx for locating them Fred!

IMHO almost all 1.7.5 k-m will start with any 1.7.x GRE.

I tried with Ulf-standart 0.9, those from Hao that Fred mentions, Hao´s stastic made from FF sources, Clickfishs Germann issue which is also compiled from FF sources and says he is 1.7.6 in the credits - Rumpels German which is possibly a resource hacked Ulf-standart. There are some other test releases based on 0.8.2 which i have tried with 1.7.1 activeX control a long time ago.

Others builds will start with 1.8.b2 GRE among that some of Haos test builds, Dorians early non statice builds, some test builds from Ulf.

Chromes: not all work well - FF chromes have become as small like k-m´s when zipped into compressed jar´s. The Chromes still look like a time consuming poblem to me. There are automated processes but they seem not to always lead to success (and i do not know how to get automisation working).

IMHO comreg.dat and xpti.dat are created by the browser
- when they are deleted they will be re-created.
my standart procedure is deleting - so that k-m must rewrite them.

I think this depends on whether they use the same libraries. (?)

I do not know whether regxpcom.exe can be used afterwards?
reason why i would like to know - some exe fail and say they are missing
xpcom exports - AFAIK there is a way to register and unregister these components. I do not know when and how it can be done?

I have been looking into Re-cycling k-m.exes since way back last year. Our few dev spent much time to prevent regration and have to alter tiny things - which comes from tiny alterations in Mozilla sources. It would be nice to be more independent of that so that especially Ulf could spent more time to hack on the k-m core.

If other people that are less accomplished than our devs could do the security updates - we could have security fixed on holes from GRE sooner.
My opinionated opinion ; o ))
kind regards

Thank you, Guenter, for testing the different versions !
If one of these should be planned for downloading, it would be
necessary to eliminate the useless files, to make downloads
smaller. That could be a bit tedious. But the idea is worth to be
considerated.
Regards Fred

Yes i agree: would be nice to have them packaged like that
- but not really vital // not all are as curious/nosy as me.

Most here have a 0.9 and that is sufficiant

I took the files from my old installs (like Carson & several others i keep them) - the only thing needed is a browser only install of Mozilla (or the full zip that You located - You can do more with that) into which chrome// defaults/menus etc. //kplugins //skins are copied.

Since Ulf´s standart k-m0.9 work fine with this install - every body that has a 0.9 (or a fairly recent test k-m) will be able to upgrade to a new 1.7.x GRE (or 1.8.x depending on which issue a k-m.exe is build).

The Mozilla stuff can stay inside this new updated k-m, You can even use
Mozilla.exe or have several k-m.exe with (differnt names) for test purposes running from inside this directory.

the only ticklish part is to get k-m menus working since the
needed defaults locations can vary.
geetings to the mountains from boring flat Hannover, guenter

just an info-link for the german speaking ppl inhere (particular slightly OT, but nvm):

http://www.heise.de/security/artikel/55576

no informer - in general forum we diskuss what we like nothing OT here.
ne informer - in general forum diskutieren wir, was wir wollen, nix ist hier OT.
greetings from heise town hannover

No guarantee that it will work or serves any purpose
other than steeling Your download time,
click free download at the bottom
then wait and click download file.

http://rapidshare.de/files/1085213/km0.9_gre1.7.6.exe.html

thx to Mozilla 4 GRE,
K-M devs Ulf, jsnj, Andrew, Al, other dev supporters & beta testers 4 k-m0.9,
Jan for skin & Eyes-Only 4 throbber - and many others that i do not remember by heart (senior moments ; o ) - greetings

p. s. for all those that lack time to make update to 1.7.6 themselves.
I did not have time to update chrome - tested under win-xp and ME.

no warranty - again i thank the k-m dev crew 4 creating 0.9

http://home.htp-tel.de/sterntaler/k_m0.9_4_GRE1.7.x.exe

that is k-m part that is needed to update a GRE 1.7.6 downloaded from Mozilla.org
(maybe You have or get a new Thunderbird or Mozilla?).

The file is only 1.3 mb. You should make a backup of the GRE that You want to update (this may not work with all GRE - but should work with all win32 GRE 1.7.6
that have been compiled with the same compiler as Ulf has used)

GRE are either in Mozilla folder or subsequent Location at Your local harddisk

../Program file/common files/mozilla.org/GRE

(or something similar - since here the folder and path have German names).
1.3 mb was just small enough to fit on my small home page - which already
contains some java (lake) applets. greetings

just found bug in my english skin.

layer button look like:

Layer/Window Buttons{

New{
%ifplugin macros & layers
macros(New)|New
New Page. Right-click for more options.
%else
%ifplugin layers
layers(Open)|New
New Layer. Right-click for more options.
%else
ID_NEW_BROWSER
New Window
%endif
%endif
toolhot.bmp[41]
}

Close{
%ifplugin layers
layers(Close)|CloseButton
Close Layer. Right-click for more options.
%else
ID_FILE_CLOSE|Close
Close Window
%endif
toolhot.bmp[42]
}
}

but it is harder to repair than to exchange skin to a new one by copying it into skin folder. sorry about bug (but i usually use a German version of it) greetz

Great job! Guenter. I think we can call this version as K-Meleon 0.91 since it is like a real update to the official 0.9 K-Meleon. Thank you for your work.


Hao

Guenter and Hao,

This looks very promising. Will have to read through the thread to figure out how to proceed before I try it out!

:-)

N

This is a beta that sort of works so far (and based on tested components)
- and maybe it is a solution to the problem of security issues in GRE.

about Chrome folder:
I think this is experimental, since we (i) do not know - whether and how far chrome must be updated (that is the major point - i think ) and whether all things work.
I remember that devs found lots of bugs and that they made several 0.9.
I also remember that we always had slight problems with little parts depending on chrome not working.

about: Components folder:
Also If i have missed a js or xpt in components that are needed some things may not work properly (i tried to use a minimum of files - if i shared of one to many then something will not work : o ( .

about compiler etc:
I separated k-m part from GRE part. If both are from same Mozilla
(and with same compiler // that is as far as i know) they will work together without looking for minor nr. (k-m works with GRE 1.7. 1 till 1.7.6 so far).

k-m part is on my home page & can be joined with any 1.7.x GRE so far.

about DLLs and GRE:
I wonder wether i shall also palce for download pre-prepared 1.7.6 GRE that can be placed into k-m folder and just unzipped for making update there? I have tested that as well and had no problems.

GRE 1.7.6 single at mozilla is at:
http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.7.6/windows-xpi/
and called gre-win32-installer.zip
its install default is metioned above in thread but can be influenced.

about: the complete download - do not set it as default for the time beeing.
and do not install into k-m default position.
greetings

first real bug found download manager does not open
fix: download & install: http://home.htp-tel.de/sterntaler/componets.exe
into components folder. (this probably contains to many files - but i have to hand check them again and want that browser works untill then).

updated also: http://home.htp-tel.de/sterntaler/k_m0.9_4_GRE1.7.x.exe

which is 1.4 mb now and contains fix.

Bug remaining browser does not download xpi - which is probably done to a security fix by mozilla - Our browser is not prone to that -
but at the moment i am chocked a little.
greetz

Fixed known solutions to found 2 bugs into download and uploaded to:

http://rapidshare.de/files/1091946/km0.9_gre1.7.6.exe.html

again - No guarantee that this package of k-m will work
or serves any purpose other than steeling Your download time,

click free download at the bottom then wait and click download file.

going off key untill tomorrow.


You can contact me by mail via my home page:

http://home.htp-tel.de/sterntaler/

where a script that kept me spam free will feed my mail addi to Your mail program.

Nice work Guenter and Hao ;-))))))

Greetings from Holland,
Jan