Debian Security Advisory
DSA-1306-1 xulrunner -- several vulnerabilities
- Date Reported:
- 12 Jun 2007
- Affected Packages:
- xulrunner
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2007-1362, CVE-2007-2867, CVE-2007-2868, CVE-2007-2869, CVE-2007-2870, CVE-2007-2871.
- More information:
-
Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems:
- CVE-2007-1362
Nicolas Derouet discovered that Xulrunner performs insufficient validation of cookies, which could lead to denial of service.
- CVE-2007-2867
Boris Zbarsky, Eli Friedman, Georgi Guninski, Jesse Ruderman, Martijn Wargers and Olli Pettay discovered crashes in the layout engine, which might allow the execution of arbitrary code.
- CVE-2007-2868
Brendan Eich, Igor Bukanov, Jesse Ruderman,
moz_bug_r_a4
and Wladimir Palant discovered crashes in the Javascript engine, which might allow the execution of arbitrary code. - CVE-2007-2869
Marcel
discovered that malicious web sites can cause massive resource consumption through the auto completion feature, resulting in denial of service. - CVE-2007-2870
moz_bug_r_a4
discovered that adding an event listener through theaddEventListener()function allows cross-site scripting. - CVE-2007-2871
Chris Thomas discovered that XUL popups can be abused for spoofing or phishing attacks.
The oldstable distribution (sarge) doesn't include xulrunner.
For the stable distribution (etch) these problems have been fixed in version 1.8.0.12-0etch1.
The unstable distribution (sid) will be fixed soon.
We recommend that you upgrade your xulrunner packages.
- CVE-2007-1362
- Fixed in:
-
Debian GNU/Linux 4.0 (etch)
- Source:
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1.dsc
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1.diff.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12.orig.tar.gz
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1.diff.gz
- Architecture-independent component:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-dev_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-dev_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs-dev_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libsmjs1_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul-common_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul-dev_1.8.0.12-0etch1_all.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.8.0.12-0etch1_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_alpha.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_alpha.deb
- AMD64:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_amd64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_amd64.deb
- ARM:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_arm.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_arm.deb
- HPPA:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_hppa.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_hppa.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_i386.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_ia64.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_ia64.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_mips.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_mipsel.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_powerpc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_s390.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnspr4-0d-dbg_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-0d-dbg_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libnss3-tools_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libxul0d-dbg_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-gnome-support_1.8.0.12-0etch1_sparc.deb
- http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs0d-dbg_1.8.0.12-0etch1_sparc.deb
MD5 checksums of the listed files are available in the original advisory.