Säkerhetsbulletin från Debian
DSA-1922-1 xulrunner -- flera sårbarheter
- Rapporterat den:
- 2009-10-28
- Berörda paket:
- xulrunner
- Sårbara:
- Ja
- Referenser i säkerhetsdatabaser:
- I Mitres CVE-förteckning: CVE-2009-3274, CVE-2009-3370, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3380, CVE-2009-3382.
- Ytterligare information:
-
Flera utifrån nåbara sårbarheter har upptäckts i Xulrunner, en körtidsmiljö för XUL-applikationer, såsom webbläsaren Iceweasel. Projektet Common Vulnerabilities and Exposures identifierar följande problem:
- CVE-2009-3380
Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers, Daniel Banchero, David Keeler och Boris Zbarsky rapporterade krascher i layoutmotorn, som kan tillåta exekvering av godtycklig kod.
- CVE-2009-3382
Carsten Book rapporterade en krasch i layoutmotorn, som kan tillåta exekvering av godtycklig kod.
- CVE-2009-3376
Jesse Ruderman och Sid Stamm uppptäckte en imitationssårbarhet i filnedladdningsdialogen.
- CVE-2009-3375
Gregory Fleischer discovered a bypass of the same-origin policy using the document.getSelection() function.
- CVE-2009-3374
moz_bug_r_a4
upptäckte en utökning av privilegier till Chrome-status i XPCOM-verktyget XPCVariant::VariantDataToJS. - CVE-2009-3373
regenrecht
upptäckte ett buffertspill i GIF-tolkaren, som kan leda till exekvering av godtycklig kod. - CVE-2009-3372
Marco C. upptäckte att ett programmeringsfel i koden för automatkonfigurering aven proxy kan leda till överbelastning eller exekvering av godtycklig kod.
- CVE-2009-3274
Jeremy Brown upptäckte att filnamnet av en nedladdad fil som öppnas av användaren är förutsägbart, vilket gör att en angripare kan lura användaren att öppna en illvillig fil om denne har lokal åtkomst till systemet.
- CVE-2009-3370
Paul Stone upptäckte att historieinformation från webbformulär kunde stjälas.
För den stabila utgåvan (Lenny) har dessa problem rättats i version 1.9.0.15-0lenny1.
Som nämnts i versionsfakta för Etch, behövdes säkerhetsstödet för Mozilla-produkterna i den gamla stabila utgåvan avslutas före slutet av den ordinarie cykeln för säkerhetsstöd i Etch. Vi uppmuntrar dig starkt till att uppgradera till den stabila utgåvan eller byta till en webbläsare som ännu stöds.
För den instabila utgåvan (Sid) har dessa problem rättats i version 1.9.1.4-1.
Vi rekommenderar att ni uppgraderar era xulrunner-paket.
- CVE-2009-3380
- Rättat i:
-
Debian GNU/Linux 5.0 (lenny)
- Källkod:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.15-0lenny1.diff.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.15-0lenny1.dsc
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.15.orig.tar.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.15-0lenny1.dsc
- Arkitekturoberoende komponent:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.15-0lenny1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_amd64.deb
- ARM EABI:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_armel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_armel.deb
- HP Precision:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_ia64.deb
- Little-endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.15-0lenny1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.15-0lenny1_sparc.deb
MD5-kontrollsummor för dessa filer finns i originalbulletinen.