Debian Security Advisory

DSA-838-1 mozilla-firefox -- multiple vulnerabilities

Date Reported:
02 Oct 2005
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2005-2701, CVE-2005-2702, CVE-2005-2703, CVE-2005-2704, CVE-2005-2705, CVE-2005-2706, CVE-2005-2707.
More information:

Multiple security vulnerabilities have been identified in the mozilla-firefox web browser. These vulnerabilities could allow an attacker to execute code on the victim's machine via specially crafted network resources.

  • CAN-2005-2701

    Heap overrun in XBM image processing

  • CAN-2005-2702

    Denial of service (crash) and possible execution of arbitrary code via Unicode sequences with "zero-width non-joiner" characters.

  • CAN-2005-2703

    XMLHttpRequest header spoofing

  • CAN-2005-2704

    Object spoofing using XBL <implements>

  • CAN-2005-2705

    JavaScript integer overflow

  • CAN-2005-2706

    Privilege escalation using about: scheme

  • CAN-2005-2707

    Chrome window spoofing allowing windows to be created without UI components such as a URL bar or status bar that could be used to carry out phishing attacks

For the stable distribution (sarge), these problems have been fixed in version 1.0.4-2sarge5.

For the unstable distribution (sid), these problems have been fixed in version 1.0.7-1.

We recommend that you upgrade your mozilla-firefox package.

Fixed in:

Debian GNU/Linux 3.1 (sarge)

Intel IA-32:
Intel IA-64:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.