From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1669-1 [email protected] http://www.debian.org/security/ Moritz Muehlenhoff November 23, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xulrunner
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-0016 CVE-2008-3835 CVE-2008-3836 CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013
CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-0017 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

CVE-2008-0016

Justin Schuh, Tom Cross and Peter Williams discovered a buffer
overflow in the parser for UTF-8 URLs, which may lead to the
execution of arbitrary code.

CVE-2008-3835

"moz_bug_r_a4" discovered that the same-origin check in
nsXMLDocument::OnChannelRedirect() could by bypassed.

CVE-2008-3836

"moz_bug_r_a4" discovered that several vulnerabilities in
feedWriter could lead to Chrome privilege escalation.

CVE-2008-3837

Paul Nickerson discovered that an attacker could move windows
during a mouse click, resulting in unwanted action triggered by
drag-and-drop.

CVE-2008-4058

"moz_bug_r_a4" discovered a vulnerability which can result in
Chrome privilege escalation through XPCNativeWrappers.

CVE-2008-4059

"moz_bug_r_a4" discovered a vulnerability which can result in
Chrome privilege escalation through XPCNativeWrappers.

CVE-2008-4060

Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege
escalation vulnerability in XSLT handling.

CVE-2008-4061

Jesse Ruderman discovered a crash in the layout engine, which might
allow the execution of arbitrary code.

CVE-2008-4062

Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour
discovered crashes in the Javascript engine, which might allow the
execution of arbitrary code.

CVE-2008-4065

Dave Reed discovered that some Unicode byte order marks are
stripped from Javascript code before execution, which can result in
code being executed, which were otherwise part of a quoted string.

CVE-2008-4066

Gareth Heyes discovered that some Unicode surrogate characters are
ignored by the HTML parser.

CVE-2008-4067

Boris Zbarsky discovered that resource: URls allow directory
traversal when using URL-encoded slashes.

CVE-2008-4068

Georgi Guninski discovered that resource: URLs could bypass local
access restrictions.

CVE-2008-4069

Billy Hoffman discovered that the XBM decoder could reveal
uninitialised memory.

CVE-2008-4582

Liu Die Yu discovered an information leak through local shortcut
files.

CVE-2008-5012

Georgi Guninski, Michal Zalewski and Chris Evan discovered that
the canvas element could be used to bypass same-origin
restrictions.

CVE-2008-5013

It was discovered that insufficient checks in the Flash plugin glue
code could lead to arbitrary code execution.

CVE-2008-5014

Jesse Ruderman discovered that a programming error in the
window.__proto__.__proto__ object could lead to arbitrary code
execution.

CVE-2008-5017

It was discovered that crashes in the layout engine could lead to
arbitrary code execution.

CVE-2008-5018

It was discovered that crashes in the Javascript engine could lead to
arbitrary code execution.

CVE-2008-0017

Justin Schuh discovered that a buffer overflow in http-index-format
parser could lead to arbitrary code execution.

CVE-2008-5021

It was discovered that a crash in the nsFrameManager might lead to
the execution of arbitrary code.

CVE-2008-5022

"moz_bug_r_a4" discovered that the same-origin check in
nsXMLHttpRequest::NotifyEventListeners() could be bypassed.

CVE-2008-5023

Collin Jackson discovered that the -moz-binding property bypasses
security checks on codebase principals.

CVE-2008-5024

Chris Evans discovered that quote characters were improperly
escaped in the default namespace of E4X documents.

For the stable distribution (etch), these problems have been fixed in
version 1.8.0.15~pre080614h-0etch1. Packages for mips will be provided
later.

For the upcoming stable distribution (lenny) and the unstable
distribution (sid), these problems have been fixed in version 1.9.0.4-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614h.orig.tar.gz
Size/MD5 checksum: 43763318 269ce29df92d5053f6d0fc659717c18b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614h-0etch1.diff.gz
Size/MD5 checksum: 144529 7f517d4bd904df70b6ead61c85e5eb71
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.8.0.15~pre080614h-0etch1.dsc
Size/MD5 checksum: 1984 2f56bfad80749a3af01a185cfc3a19e5

Architecture independent packages:


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)