Säkerhetsbulletin från Debian

DSA-1885-1 xulrunner -- flera sårbarheter

Rapporterat den:
2009-09-14
Berörda paket:
xulrunner
Sårbara:
Ja
Referenser i säkerhetsdatabaser:
I Mitres CVE-förteckning: CVE-2009-3070, CVE-2009-3071, CVE-2009-3072, CVE-2009-3074, CVE-2009-3075, CVE-2009-3076, CVE-2009-3077, CVE-2009-3078.
Ytterligare information:

Flera utifrån nåbara sårbarheter har upptäckts i Xulrunner, en körtidsmiljö för XUL-applikationer, såsom webbläsaren Iceweasel. Projektet Common Vulnerabilities and Exposures identifierar följande problem:

  • CVE-2009-3070

    Jesse Ruderman upptäckte krascher i layoutmotorn, som kan tillåta exekvering av godtycklig kod.

  • CVE-2009-3071

    Daniel Holbert, Jesse Ruderman, Olli Pettay och "toshi" upptäckte krascher i layoutmotorn, som kan tillåta exekvering av godtycklig kod.

  • CVE-2009-3072

    Josh Soref, Jesse Ruderman och Martin Wargers upptäckte krascher i layoutmotorn, som kan tillåta exekvering av godtycklig kod.

  • CVE-2009-3074

    Jesse Ruderman upptäckte en krasch i Javascriptmotorn, som kan tillåta exekvering av godtycklig kod.

  • CVE-2009-3075

    Carsten Book och "Taral" upptäckte krascher i layoutmotorn, som kan tillåta exekvering av godtycklig kod.

  • CVE-2009-3076

    Jesse Ruderman upptäckte att användargränssnittet för att installera/ta bort säkerhetsmodulerna PCKS #11 inte var tillräckligt informativt, vilket kunde tillåta bondfångeri (social engineering attacks).

  • CVE-2009-3077

    Det upptäcktes att felaktig pekarhantering i XUL-tolkaren kunde leda till exekvering av godtycklig kod.

  • CVE-2009-3078

    Juan Pablo Lopez Yacubian upptäckte att felaktig visning av några Unicodetypsnittstecken kunde leda till imitationsangrepp på platsfältet.

För den stabila utgåvan (Lenny) har dessa problem rättats i version 1.9.0.14-0lenny1.

Precis som nämndes i versionsfakta för Etch, behövdes säkerhetsstödet för Mozilla-produkterna i den gamla stabila utgåvan avslutas innan slutet av den ordinarie livscykeln för säkerhetsarbetet för Etch. Ni uppmanas starkt att uppgradera till den stabila utgåvan eller byta till en webbläsare som fortfarande stöds.

För den instabila utgåvan (Sid) har dessa problem rättats i version 1.9.0.14-1.

För den experimentella utgåvan har dessa problem rättats i version 1.9.1.3-1.

Vi rekommenderar att ni uppgraderar ert xulrunner-paket.

Rättat i:

Debian GNU/Linux 5.0 (lenny)

Källkod:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.14.orig.tar.gz
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.14-0lenny1.dsc
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.14-0lenny1.diff.gz
Arkitekturoberoende komponent:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.14-0lenny1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_alpha.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_amd64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_arm.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_armel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_hppa.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_i386.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_ia64.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_mips.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_mipsel.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_powerpc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_s390.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.14-0lenny1_sparc.deb
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.14-0lenny1_sparc.deb

MD5-kontrollsummor för dessa filer finns i originalbulletinen.