Forum: >>> Magnum BBS <<<

[SECURITY] [DSA-2106-2] New xulrunner packages fix regression (1/3)

From Stefan Fritsch@1:229/2 to All on Sun Sep 19 21:40:02 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-2106-2 [email protected] http://www.debian.org/security/ Stefan Fritsch September 19, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-2760 CVE-2010-2763 CVE-2010-2765 CVE-2010-2766 CVE-2010-2767 CVE-2010-2768 CVE-2010-2769 CVE-2010-3167 CVE-2010-3168 CVE-2010-3169

DSA-2106-1 introduced a regression that could lead to an application
crash. This update fixes this problem. For reference, the text of
the original advisory is provided below.

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:

- - Implementation errors in XUL processing allow the execution of
arbitrary code (CVE-2010-2760, CVE-2010-3167, CVE-2010-3168)

- - An implementation error in the XPCSafeJSObjectWrapper wrapper allows
the bypass of the same origin policy (CVE-2010-2763)

- - An integer overflow in frame handling allows the execution of
arbitrary code (CVE-2010-2765)

- - An implementation error in DOM handling allows the execution of
arbitrary code (CVE-2010-2766)

- - Incorrect pointer handling in the plugin code allow the execution of
arbitrary code (CVE-2010-2767)

- - Incorrect handling of an object tag may lead to the bypass of cross
site scripting filters (CVE-2010-2768)

- - Incorrect copy and paste handling could lead to cross site scripting
(CVE-2010-2769)

- - Crashes in the layout engine may lead to the execution of arbitrary
code (CVE-2010-3169)

For the stable distribution (lenny), the problem has been fixed in
version 1.9.0.19-5. The packages for the mips architecture are not
included in this update. They will be released as soon as they become available.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19.orig.tar.gz
Size/MD5 checksum: 44174623 83667df1e46399960593fdd8832e958e
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19-5.dsc
Size/MD5 checksum: 1755 ec1bbbbd68484fd56658004d35660079
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.19-5.diff.gz
Size/MD5 checksum: 163246 2c2544dd4c410435fa0c80a337471b3f

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.19-5_all.deb
Size/MD5 checksum: 1482996 863ccb72f1a414ed13bd27405afba771

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 164820 a3c3627598bfccbd464b12afc9fd1518
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 51198504 3d8d5f458c570c8a269865747845b000
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 72756 d7d444c19f110c887596e8c6c1a52aaf
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 433826 32e8706fe2a306c1f9908a620246c83a
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 223118 90e749bb96774053f296271a5b8eb0ba
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 9506608 5026aba96d3ace32f1c178fc94316eee
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 3656240 9b19520d0180d224d4df695d22c9df23
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 939550 e33c90da76aba433f506bac4852f8590
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.19-5_alpha.deb
Size/MD5 checksum: 113604 6e3ab285138ff64e0a4899cb827c6f2f

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 50443192 60952c4d1272b7d54a4b35598d9da9d8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 102114 2630d71984e9c30fa2746f456a796cd2
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 70732 48884179fb002f92523ce7bfd6798084
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 223858 b6eb38fe9289d8833d543b82fe4bfb5a
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 889010 4dd57cef68b3d1c79b5f59d454b9bef6
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 375468 ecf7e48691e5c25d2bc0c595e6c36cfe
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 151934 6ee561d1343bf016cd414f06a94f3e60
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 7760866 3c73945a0610ccea86c76196a7c79f34
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.19-5_amd64.deb
Size/MD5 checksum: 3599590 64eb9e9b0251431bf01cd2e60a9785d0

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (2 / 14)
Uptime:	33:44:12
Calls:	12,109
Files:	15,006
Messages:	6,518,327

[SECURITY] [DSA-2106-2] New xulrunner packages fix regression (1/3)

Who's Online

System Info