[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 1840-1] New xulrunner packages fix several vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1840-1                  security@debian.org
http://www.debian.org/security/                      Steffen Joeris
July 23, 2009                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : xulrunner                                                                                                                                      
Vulnerability  : several vulnerabilities                                                                                                                        
Problem type   : remote                                                                                                                                         
Debian-specific: no                                                                                                                                             
CVE IDs        : CVE-2009-2462 CVE-2009-2463 CVE-2009-2464 CVE-2009-2465                                                                                        
                 CVE-2009-2466 CVE-2009-2467 CVE-2009-2469 CVE-2009-2471                                                                                        
                 CVE-2009-2472                                                                                                                                  

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies the
following problems:                                                     

CVE-2009-2462

Martijn Wargers, Arno Renevier, Jesse Ruderman, Olli Pettay and Blake
Kaplan disocvered several issues in the browser engine that could    
potentially lead to the execution of arbitrary code. (MFSA 2009-34)  

CVE-2009-2463

monarch2020 reported an integer overflow in a base64 decoding function.
(MFSA 2009-34)                                                         

CVE-2009-2464

Christophe Charron reported a possibly exploitable crash occuring when                                                                                                             
multiple RDF files were loaded in a XUL tree element. (MFSA 2009-34)                                                                                                               

CVE-2009-2465

Yongqian Li reported that an unsafe memory condition could be created by
specially crafted document. (MFSA 2009-34)                              

CVE-2009-2466

Peter Van der Beken, Mike Shaver, Jesse Ruderman, and Carsten Book
discovered several issues in the JavaScript engine that could possibly
lead to the execution of arbitrary JavaScript. (MFSA 2009-34)

CVE-2009-2467

Attila Suszter discovered an issue related to a specially crafted Flash
object, which could be used to run arbitrary code. (MFSA 2009-35)

CVE-2009-2469

PenPal discovered that it is possible to execute arbitrary code via a
specially crafted SVG element. (MFSA 2009-37)

CVE-2009-2471

Blake Kaplan discovered a flaw in the JavaScript engine that might allow
an attacker to execute arbitrary JavaScript with chrome privileges.
(MFSA 2009-39)

CVE-2009-2472

moz_bug_r_a4 discovered an issue in the JavaScript engine that could be
used to perform cross-site scripting attacks. (MFSA 2009-40)


For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.12-0lenny1.

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the testing distribution (squeeze), these problems will be fixed
soon.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.12-1.


We recommend that you upgrade your xulrunner packages.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Debian (stable)
- ---------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12-0lenny1.dsc
    Size/MD5 checksum:     1784 2e69bafb336aca4645e1b2412480d646
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12-0lenny1.diff.gz
    Size/MD5 checksum:   115977 272c3211139a5bc8b18589b13c2994ff
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.12.orig.tar.gz
    Size/MD5 checksum: 43962222 60c12321966d292048b4540ef6484661

Architecture independent packages:

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.12-0lenny1_all.deb
    Size/MD5 checksum:  1463680 bb282df0a8f54e0b9529ea17d6adb2f3

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:   936648 2eb64e94b4cc213be6f6cfa8bfdc9a1c
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:  9489172 d0634164e64df2a81116f0b28b83c9c8
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:  3650294 22141e833d702cf88f156ee4db656f42
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum: 51074600 0fa0dabcddaa54a6254e8550c2a4afe0
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:   221168 0e9d2c155e31532c784b656ed5388b9e
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:   431058 8805ccf7e85238ce43dec92147619332
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:   111666 80c24b0dfd1a158d34f78e6045b91ca4
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:   163552 2e2962e508693791149682cae6cba482
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_alpha.deb
    Size/MD5 checksum:    71326 6a9373a92b1fc093e4b7c70069ff67b4

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:  7716828 c16acd4ce667b6c084bdc39a9e096d11
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:   222542 94d525cbb4d54889b70843822c0bdc38
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:  3286630 dff8f78b0ec2d9960834da44667724eb
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:    69238 f5399e5ceecf41c8eb4db5a072335740
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum: 50310982 867606879c209be1c13f3710d3c38ae6
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:   101074 720e565c2e89dc6603532a7978b2d221
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:   151576 d80252bbe931cbab101a89cb3f004a09
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:   889814 211a7bc398826f2c56e15a843443d39d
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_amd64.deb
    Size/MD5 checksum:   373716 be621dfd49ae635ef4b4e114f8e50dba

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum: 50098330 a0f5465dbc467dd1f985e2ca4712f7f9
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:    83980 4a4311a43473fe7930a52fdea5e4a5fe
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:  6948554 cfdbcb830720627b32f795b36f53f5b7
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:   222906 34e6471c847421be2ae16da3f918bcda
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:   821816 e250ee372508798ae9e1a68a6c4576f2
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:  3578140 f4707d6024a4b9f11ad1fd31882bf0ef
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:    69028 0291acaec552e2472fc4209d168cfc6c
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:   140978 773c60a149ba625ea1d5c89527d119c0
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_armel.deb
    Size/MD5 checksum:   352562 be66f00faa6afcede4278909e7f4e2a8

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:   898622 5ea05f46dc2990b5b0054df8a30b1b58
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:   411484 038614ad28aadfeae1abb5339b1251ab
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:   158432 c676bfc26336590362ff680f85050906
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:  3620828 3a43dc101337b981f9bd33906abe7799
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:   105530 d200efc60ae614e57cead787ee85bef3
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:    70610 2699e4fe85f2158ed608dbad8e20c38f
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum: 51198752 2386c56a0556e1f89dbcccdec8691031
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:  9501658 0b6a0e1762a611b60912e721f7b9f9bb
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_hppa.deb
    Size/MD5 checksum:   222406 114b5a6f6fc97899e7935592646a5cbb

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:   222776 e0f2916c9c3abd448aa46f7665191b49
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:    78780 e73a6bfd378c752a8ac5fa7955fae17e
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:    67468 18f29aaf6c08b34274f15a48c653707e
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum: 49480258 b14ed6c733c7d34d2021e806be6439d6
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:  6593788 4b4aec6b9005655ba7b80035fa8e6e17
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:   350290 e91ff2efb88c2f74fde18a008b56d6e2
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:   140982 3c9adef8f1b9f6f25c84e36eefda9a1a
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:  3564530 8402885a312d91bdcaffc7d4d65ac0b9
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_i386.deb
    Size/MD5 checksum:   851344 a4538a018fa23d8a53ebebee961849a9

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:   179724 8761c9fbbc3f22d6a3a1126916c90bcc
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:   542032 1b018fb59b737ac526625352b72d9b52
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:  3396102 621e876f64da0046867a6904206fe88d
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:   222738 cf7f9faab58a71b3593dbb50596d122c
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum: 49654530 7f19c4a0ac89e1516e2aba14ae8fc039
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:    75710 bf66a6c1c04bb76fd5c8be3302264b5b
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum: 11291336 891f561351854e144105df6600e7b1a2
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:   121190 60ace4c5b1e0de5c0a7276a20e6fa7ea
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_ia64.deb
    Size/MD5 checksum:   811128 d18f2c47908d2ac67175e3aaafaae9be

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:    94436 ab06fbe3a24959ef89f46354799e4f60
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum: 51369574 2389d023864d099f4af1cd38c5dd0ab1
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:   222760 0fca732c6d2cc0dbc10d9709db31446e
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:    72382 1dbf9611e7482680ccb05387668b7aa8
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:  3282416 144ced7b46ff76a25a1b6b4aa826cf52
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:   151928 a2c697c4b815a9ec8ccbfa92e46437df
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:   887838 2c32e037063218fa7ad957f318bf67d0
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:  7269728 cd871cea39393f4e585c7462b7bd7f85
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_powerpc.deb
    Size/MD5 checksum:   361952 73feff1baa6ac1817c37e9e47be19693

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:   908910 9ad7f202181aa2aea2e0e5bcf7e7d3a0
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:   222738 500490bcdc39f3bf9df8c8adc201af3b
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:  3305062 cf82ab8dedc7b2c02102b1923bc2b990
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum: 51146652 8d73626705e11a5f55617b5fe945a694
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:   406172 03dbc242b93c05c30fac54f5845a1a26
  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:    72194 859204b8be6d3be3f1e5a44d66894d25
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:   155732 72eff38ad9f4336aee6999895b9dc2f8
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:  8379856 936c6c5f0803bdd9bf4e25389263026d
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_s390.deb
    Size/MD5 checksum:   105222 89354aa048d424d0657e03a3cb99efe0

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:    68560 be1d93cebaecfded59be656d1c4be947
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:  7162094 f8297c20997d2b907bdff9fed1bd17e7
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:    87220 6e6e140211cab257b855337f78090ed8
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:   821376 3d1f31c492ad4e0d2ff96be8004f8620
  http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:   141574 340b55f67ab110b9dfd8201627856b96
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:  3576272 c71288e6db975032807788800118883a
  http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum: 49334420 1983e56c55e840fdb7c140aa30ad4c09
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:   221490 fdd4e1383544a7c463f2dac1e916303c
  http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.12-0lenny1_sparc.deb
    Size/MD5 checksum:   349248 1cb6c52c91701e3b11c0faa92da6d915


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpoL3sACgkQ62zWxYk/rQeLOQCfZpIetjwFR9tnH0lXSO76H+k2
UNUAnjHc6vlPCc8pgsdY9T3MMNU+dsF0
=GTlp
-----END PGP SIGNATURE-----


Reply to: