lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 19 Jun 2009 00:13:03 +1000 (EST)
From: (Steffen Joeris)
Subject: [SECURITY] [DSA 1820-1] New xulrunner packages fix several vulnerabilities

Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1820-1                              Steffen Joeris
June 18, 2009               
- ------------------------------------------------------------------------

Package        : xulrunner                            
Vulnerability  : several vulnerabilities              
Problem type   : remote                               
Debian-specific: no                                   
CVE IDs        : CVE-2009-1392 CVE-2009-1832 CVE-2009-1833 CVE-2009-1834 CVE-2009-1835
                 CVE-2009-1836 CVE-2009-1837 CVE-2009-1838 CVE-2009-1839 CVE-2009-1840

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies the
following problems:                                                     


Several issues in the browser engine have been discovered, which can
result in the execution of arbitrary code. (MFSA 2009-24)           


It is possible to execute arbitrary code via vectors involving "double
frame construction." (MFSA 2009-24)                                   


Jesse Ruderman and Adam Hauner discovered a problem in the JavaScript
engine, which could lead to the execution of arbitrary code.         
(MFSA 2009-24)                                                       


Pavel Cvrcek discovered a potential issue leading to a spoofing attack
on the location bar related to certain invalid unicode characters.    
(MFSA 2009-25)                                                        


Gregory Fleischer discovered that it is possible to read arbitrary
cookies via a crafted HTML document. (MFSA 2009-26)               


Shuo Chen, Ziqing Mao, Yi-Min Wang and Ming Zhang reported a potential
man-in-the-middle attack, when using a proxy due to insufficient checks
on a certain proxy response. (MFSA 2009-27)                            


Jakob Balle and Carsten Eiram reported a race condition in the
NPObjWrapper_NewResolve function that can be used to execute arbitrary
code. (MFSA 2009-28)                                                  


moz_bug_r_a4 discovered that it is possible to execute arbitrary
JavaScript with chrome privileges due to an error in the
garbage-collection implementation. (MFSA 2009-29)


Adam Barth and Collin Jackson reported a potential privilege escalation
when loading a file::resource via the location bar. (MFSA 2009-30)


Wladimir Palant discovered that it is possible to bypass access
restrictions due to a lack of content policy check, when loading a
script file into a XUL document. (MFSA 2009-31)


moz_bug_r_a4 reported that it is possible for scripts from page content
to run with elevated privileges and thus potentially executing arbitrary
code with the object's chrome privileges. (MFSA 2009-32)

For the stable distribution (lenny), these problems have been fixed in

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the testing distribution (squeeze), these problems will be fixed

For the unstable distribution (sid), these problems have been fixed in

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:
    Size/MD5 checksum: 43878486 54e05857f54ecaaf8c18a8ff8977ede9
    Size/MD5 checksum:   116016 9e90e48c64a417b432c07204a0cca3c7
    Size/MD5 checksum:     1784 9da4109122928e729c43e1ad227ef3ee

Architecture independent packages:
    Size/MD5 checksum:  1481072 a2c38ce502706675d7e19b6cfec10322

alpha architecture (DEC Alpha)
    Size/MD5 checksum:   220876 b9c7195b3e22cb49b804bcdc98a5f29a
    Size/MD5 checksum:   111596 d8bf448a074e007530fcbdc2ace286e2
    Size/MD5 checksum:   429342 3100f5645733df46d6ee8a9328d71551
    Size/MD5 checksum: 51057266 d4ff87cf5448643ec1257907b7b08320
    Size/MD5 checksum:  3648766 d150d9e0dd5b51c8d7cef73885708f95
    Size/MD5 checksum:    71262 a468cff5e3a9d9ae2a7ecdafa3ef6aa1
    Size/MD5 checksum:   933344 433a560fa4008f875d82263f5f27a522
    Size/MD5 checksum:   163490 0c7a249d86b2d65e132e3a6116fecc31
    Size/MD5 checksum:  9484858 c7fceefe6a70c5077aef044262ffcee3

amd64 architecture (AMD x86_64 (AMD64))
    Size/MD5 checksum:   885336 0719dd55e918cd43d5f8bb28453d1ee8
    Size/MD5 checksum:   223278 6ce156d2bd8d5cec60c3322bd10277ea
    Size/MD5 checksum:    69806 5b58470d7a139f1de45d37dd894711fd
    Size/MD5 checksum:  3587810 6563cb58d7d914ac16948cd30a981f92
    Size/MD5 checksum:   373314 406f78cdf84f1cbe75a57aee36eaa1d4
    Size/MD5 checksum:   101190 417ca47d52a6f0b874dee0473d520f10
    Size/MD5 checksum: 50305324 4a56a34e5287acbf6643a94481e4a53e
    Size/MD5 checksum:   151070 37a3d7bac733f0fe022a60642204d490
    Size/MD5 checksum:  7733630 1bd17ebcf26b1b69960654134b222367

arm architecture (ARM)
    Size/MD5 checksum:   348214 aaf36fcde01af6ab9c8910c74eca24ec
    Size/MD5 checksum:   140298 b0e59d229b23a7ae778d9cd669fee278
    Size/MD5 checksum:  6781858 23d3f3b80b854b493df8a5b4b0d74573
    Size/MD5 checksum:  3577702 8d722a076134736a4d4071c8d54a6c01
    Size/MD5 checksum:    67532 0771c01c13443b2c8c1ad638bc02efa4
    Size/MD5 checksum:   221312 c61bafa4cc40e8111b2ecae730ef2512
    Size/MD5 checksum:   813238 9c9019b072ffe9aabe4595de5f61239d
    Size/MD5 checksum:    83454 39562d358d257270b4a35a0857d39d84
    Size/MD5 checksum: 49242060 82a8c186e6243aa8d26177c9ea17f84f

armel architecture (ARM EABI)
    Size/MD5 checksum:  3577974 10ad8d802b67feac72288b50f8982913
    Size/MD5 checksum:   141760 cb82f05c2a7d0f2bcf59dc312f046861
    Size/MD5 checksum:    69730 b2dee532d05c0d2c142f19291752b6ef
    Size/MD5 checksum:    84048 c27d4e1db5d11e1c0cc5b52154d8ccf3
    Size/MD5 checksum:   819430 f0dd69de275b66c8ac477dcc35c53f7f
    Size/MD5 checksum:  6945398 623a2422199fecf2b0789be43b45a1e1
    Size/MD5 checksum:   350732 9e8b7c5f70580b9c83de8388bb3c8282
    Size/MD5 checksum:   222338 d0b32bbf4683bed84f47e64b882e2803
    Size/MD5 checksum: 50082962 9441b288c89302e95521eeb771033e76

hppa architecture (HP PA RISC)
    Size/MD5 checksum:   409254 cdaf90024b3ee42d93e4b47396c4e2c8
    Size/MD5 checksum:  3619220 486dcd3039366608220bde599536fd3f
    Size/MD5 checksum:   158366 edbfe8b6a65138e17a6749f1f9f74f6e
    Size/MD5 checksum:   896076 4e7bf4b3b346406b242799492d7c52d7
    Size/MD5 checksum:  9498572 ac01a178199d355ca14acfbe694dd5ff
    Size/MD5 checksum:   105466 16dde9161789bfa5ecdff4b33699ba0b
    Size/MD5 checksum: 51178368 ab80ce0bfcad0c4ba7f6a8e1696f18c1
    Size/MD5 checksum:    70546 480722ae9b031c03e1b160b5d3d9c8b0
    Size/MD5 checksum:   222064 2ab947cf77e78386a2b6026a1d04ce67

i386 architecture (Intel ia32)
    Size/MD5 checksum:  3562742 14cd4e8f8a92e112f9bdc70785b2c366
    Size/MD5 checksum:  6592362 7cda737dd6f323028419ae3335c1f735
    Size/MD5 checksum:   140928 bca0b8180b6154e0614fbbba62b723d2
    Size/MD5 checksum:   849710 51452041e9c71287ef7cc84efd6e9075
    Size/MD5 checksum:    78724 d4cb9e6cdc3ed15a5f8ee090641f7077
    Size/MD5 checksum:    67420 3496ca0c0579daa3071699492cee80f2
    Size/MD5 checksum: 49453720 d066dfc3d56bf77cd6e819bebc92530b
    Size/MD5 checksum:   222484 7f7935702977c7873521e24655c83224
    Size/MD5 checksum:   348428 aa075e8a873ba8794dead19b05dbfeef

ia64 architecture (Intel ia64)
    Size/MD5 checksum: 49623688 6afd6469c2c80b0d3d973d8a50d31e8b
    Size/MD5 checksum:   179684 f7d0307dffc0aaad7cff3e78e92cd41c
    Size/MD5 checksum:    75646 b88ac5a740b258d93f2a19850751aa13
    Size/MD5 checksum:  3393510 d6bfd74513c42b56100c9593ad0f95e8
    Size/MD5 checksum:   121130 7687535ccc491bddd3f73f840e7e20e1
    Size/MD5 checksum:   222480 b784a7c95fcaf07b6da14317c4b0c069
    Size/MD5 checksum:   539108 d20da7adc0bf340bf9fd809569be6579
    Size/MD5 checksum:   809520 51774edfca03bc47a3f3d68923fcec60
    Size/MD5 checksum: 11286510 dcac7e53599a26f69dd54a76de139842

mips architecture (MIPS (Big Endian))
    Size/MD5 checksum: 51812570 d3d0183f3132a16f446bcdd78ab75967
    Size/MD5 checksum:  3610174 4c156e4001e6016d937dd0b76ed580dc
    Size/MD5 checksum:   915412 c1bfe8ad7c499582ef8c977ccef65f27
    Size/MD5 checksum:   144332 77ee78102394d802e258082f7addbcbe
    Size/MD5 checksum:    96722 56777daacaa360b84b4e3aa05edecd71
    Size/MD5 checksum:   222244 fbdd53f3ff72b6a29c8ce39cc3cfe10f
    Size/MD5 checksum:  7658916 408c0db56ae40697122fd88f50193934
    Size/MD5 checksum:    69514 d0e2e575d784499420754c8abd9af50a
    Size/MD5 checksum:   377778 a5ab1e24584957a6cb1cb666457c0a89

mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:   897114 87ae9cba0faeb97a2687345e87adf392
    Size/MD5 checksum: 49926646 89fa718bb331b75385eeae8c9801a67c
    Size/MD5 checksum:   222480 dbc4aa1edc02a0ec874f0bfaebfbdee8
    Size/MD5 checksum:    69156 0ad7389bc3f06f24e767737fbc52e9fc
    Size/MD5 checksum:  7368776 93e78ea1a6712faab89a33c1e4dfaab6
    Size/MD5 checksum:  3304946 aa29a73dcd93f7fc4dfec2265f75490d
    Size/MD5 checksum:   144620 9b45d1a05b6f6fb36785ecc078718da5
    Size/MD5 checksum:    96374 b9f28757e4af8d8de9c625e33127b371
    Size/MD5 checksum:   375560 c8896414f96b935e06e84183dcfdbe59

powerpc architecture (PowerPC)
    Size/MD5 checksum:  3577026 01717cbc10caefb1b0b01c0b5fd1f94d
    Size/MD5 checksum:  7283612 316443439ef6ae959a35ea9f9f448f72
    Size/MD5 checksum:   360002 b54823b9a6c42cc9e2fc96d20340b503
    Size/MD5 checksum:   222826 92df5e4ac3c9c4c37d7569c768b2f888
    Size/MD5 checksum:    72594 9c0f3abc92447af9b2729145f4665270
    Size/MD5 checksum:   886178 6e0c34af00e47444c57dbdd74d7615bd
    Size/MD5 checksum: 51355158 973470eacfa59e590390e02bbd594865
    Size/MD5 checksum:    94292 8c5db950d96fc61804236569673d357e
    Size/MD5 checksum:   152542 6c9e947aea31a946e2716d9b55638d9e

s390 architecture (IBM S/390)
    Size/MD5 checksum:  3302788 dee47f233c50057abf09e5711f4f81f6
    Size/MD5 checksum:   222476 ebbc066f3849e6f76b4312220de0e541
    Size/MD5 checksum: 51133352 668c4d6a8e1d07300f8c2dc167ed2565
    Size/MD5 checksum:    72146 daa378828aa27c1bdb2bc156a44b6bd1
    Size/MD5 checksum:   404426 d74cb3f836b87095737383827f830f93
    Size/MD5 checksum:   105168 c9466fe1af7b4c52768a29d5a689f85e
    Size/MD5 checksum:   155676 7aee79fa600cdbeb1331ab39afe4c58f
    Size/MD5 checksum:   906764 d27506e74851bbbb7981906a82a9979a
    Size/MD5 checksum:  8378072 b7a585304a0c7d6960d42837ecae5850

sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum: 49318092 524a8852efe2065eba2903375f331bd2
    Size/MD5 checksum:  7159518 abb575798284a03076b980b581b05408
    Size/MD5 checksum:   346694 d1f904bb74f77b8a5336ca36d3e893fb
    Size/MD5 checksum:   141522 418022086d352f0be7ed5f578cf791dc
    Size/MD5 checksum:    87158 9b2c0c57e26431ba5f811e1bd871019d
    Size/MD5 checksum:  3573726 b49ea475fc28bc37b32c03ea6c89f6ec
    Size/MD5 checksum:   818434 5a0e97b8225bf527094d7bfb1452753a
    Size/MD5 checksum:   221162 87d61c492ba05a96c67832a1df421bf1
    Size/MD5 checksum:    68500 cd24b46bdd1061b1de29b6ed8df7ce2f

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.4.9 (GNU/Linux)


Powered by blists - more mailing lists