Linux Security
Linux Security
Linux Security

Debian: DSA-1797-1: New xulrunner packages fix several vulnerabilities

Date 09 May 2009
Posted By LinuxSecurity Advisories
Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications, such as the Iceweasel web browser. The Common Vulnerabilities and Exposures project identifies the following problems:
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1797-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.                       Moritz Muehlenhoff
May 09, 2009                
- ------------------------------------------------------------------------

Package        : xulrunner
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2009-0652 CVE-2009-1302 CVE-2009-1303 CVE-2009-1304 CVE-2009-1305 CVE-2009-1306 CVE-2009-1307 CVE-2009-1308 CVE-2009-1309 CVE-2009-1311

Several remote vulnerabilities have been discovered in Xulrunner, a 
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:


    Moxie Marlinspike discovered that Unicode box drawing characters inside of
    internationalised domain names could be used for phishing attacks.


    Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman
    and Gary Kwong reported crashes in the in the layout engine, which might
    allow the execution of arbitrary code.


    Olli Pettay, Martijn Wargers, Mats Palmgren, Oleg Romashin, Jesse Ruderman
    and Gary Kwong reported crashes in the in the layout engine, which might
    allow the execution of arbitrary code.


    Igor Bukanov and Bob Clary discovered crashes in the Javascript engine,
    which might allow the execution of arbitrary code.


    Igor Bukanov and Bob Clary discovered crashes in the Javascript engine,
    which might allow the execution of arbitrary code.


    Daniel Veditz discovered that the Content-Disposition: header is ignored
    within the jar: URI scheme.


    Gregory Fleischer discovered that the same-origin policy for Flash files
    is inproperly enforced for files loaded through the view-source scheme,
    which may result in bypass of cross-domain policy restrictions.


    Cefn Hoile discovered that sites, which allow the embedding of third-party
    stylesheets are vulnerable to cross-site scripting attacks through XBL


    "moz_bug_r_a4" discovered bypasses of the same-origin policy in the
    XMLHttpRequest Javascript API and the XPCNativeWrapper.


    Paolo Amadini discovered that incorrect handling of POST data when
    saving a web site with an embedded frame may lead to information disclosure.


    It was discovered that Iceweasel allows Refresh: headers to redirect
    to Javascript URIs, resulting in cross-site scripting.

For the stable distribution (lenny), these problems have been fixed
in version

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the unstable distribution (sid), these problems have been fixed in

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:
    Size/MD5 checksum:   117026 d09669d48cd57ec9457f027e1cbb6513
    Size/MD5 checksum: 43676083 2d15d3f226cf0fc7210eb112cdbd2869
    Size/MD5 checksum:     1785 4dfb97c89b31cc0395fe3e07ace099ad

Architecture independent packages:
    Size/MD5 checksum:  1483776 a42bf756251f9e3e206ede146db8f956

alpha architecture (DEC Alpha)
    Size/MD5 checksum:   111514 f9b3e0f98e2d20a0b809d21f8cf972e8
    Size/MD5 checksum: 51060838 f7811d5fce5d7a9d9543be65a03cec4b
    Size/MD5 checksum:   220742 2c1ed1e0ca8e9ca72875c69455559b26
    Size/MD5 checksum:  9481232 2a10dd4c6875e7c8271fef8ba99dcedb
    Size/MD5 checksum:   428902 03eeed45c2d4ed5197af04aa56a0e7c3
    Size/MD5 checksum:  3648686 e8dcddf93a00cde658b9098048d77261
    Size/MD5 checksum:   163408 fea42d292bf78fe08f73d98b2d9e178a
    Size/MD5 checksum:   933068 ee853413c63b6fe073c58e2701bc00ab
    Size/MD5 checksum:    71174 53af8db13e823906067c8385b32b2dcc

amd64 architecture (AMD x86_64 (AMD64))
    Size/MD5 checksum:  7727524 36d598c003dcb0b8e4c17f360b0681a3
    Size/MD5 checksum:   887532 cccbd9c7cf928cdbf524349874143a70
    Size/MD5 checksum:   151242 0075b6dc5736b7ffb43161a20cd569e9
    Size/MD5 checksum:   371988 bb3c915099c05bc4ea9f0e9c0f5dcf4c
    Size/MD5 checksum:    68952 92c0e7c9a369e29c2eaa10c508e9ef00
    Size/MD5 checksum: 50280932 6b6a63494c6f7411a8e98331ae952fb6
    Size/MD5 checksum:   100880 ab27a51c6ad46ead60760e90519f4e5c
    Size/MD5 checksum:  3583500 7cf24c1188cb886612a2c26915467f60
    Size/MD5 checksum:   220552 638e195878722d207df6f63d22dc0190

arm architecture (ARM)
    Size/MD5 checksum:    67188 87bc838f4f3670f9351c24fc1a0bee83
    Size/MD5 checksum: 49237086 71c4d1c873dfdcea156ac2ff17fb7bdd
    Size/MD5 checksum:  3578816 4e2ff63e582037fec48658747f99ba0a
    Size/MD5 checksum:   141146 48e1e4f7e842de538505c558d32626ce
    Size/MD5 checksum:   348552 6e33e224e6495782a2770c9e2517c785
    Size/MD5 checksum:   814400 6d91a49ce94c64d1d168c6b78a6b41a4
    Size/MD5 checksum:    83412 62e4f3c8140c7dd842c08b3cae2d90be
    Size/MD5 checksum:  6790870 429d3a80ad4929f50f932bc2a9f55d70
    Size/MD5 checksum:   222650 88d47b4b6bfa2fff6fbb52f444d55910

armel architecture (ARM EABI)
    Size/MD5 checksum:   140878 62b5c5aff1efdd654e4fdb336241df71
    Size/MD5 checksum:  3576452 b1f3f4274747850f65ff6c6bc0321a5a
    Size/MD5 checksum:    83860 74c170216a259ceb9c65f15654d9f1bf
    Size/MD5 checksum:    68854 ebabe0aff31cbf050f5539dd65841d84
    Size/MD5 checksum:   350300 ecf4a8c2404b099f24f04b6b9da4d29a
    Size/MD5 checksum:  6941614 70f8d7debcdadac8f7344d483102966c
    Size/MD5 checksum:   222324 838ad274ad9c4d1ae4520d20337ef5f5
    Size/MD5 checksum: 50076310 ab97521543110a0fbc5f2ef5fa24a1ba
    Size/MD5 checksum:   818918 67f9d2de565405f736be414f22883a3d

hppa architecture (HP PA RISC)
    Size/MD5 checksum:   408960 b804388039608c12f3839cf661f66198
    Size/MD5 checksum:   221864 dc011e19e0e51ca360814e2ccac45ff5
    Size/MD5 checksum: 51165016 dc62b362f3a484e63dfd4c4e0a3abd8f
    Size/MD5 checksum:   105354 e56c6f430f6bf0c440d32d9d77f521ec
    Size/MD5 checksum:    70442 a93054b9893c8560744735056faa0782
    Size/MD5 checksum:   158222 763d8678b7b0847d5892ecd91aa1aed2
    Size/MD5 checksum:  3618860 9f74be813e8e955fc0e17ddf2ba956ed
    Size/MD5 checksum:  9497008 f4b428777416a985792a4205fe2c4559
    Size/MD5 checksum:   895604 a40bd99de09688c3cebc1afb8f9b0ed3

i386 architecture (Intel ia32)
    Size/MD5 checksum:    67304 a365211be353564113d2dd7674902022
    Size/MD5 checksum: 49446708 55375bd2f9c55fad85bdf642ba148b8b
    Size/MD5 checksum:   222280 a30bec3e1243fbcc85e10b50c70b0eec
    Size/MD5 checksum:   849508 051f75cda756e30664ce1b90d884def5
    Size/MD5 checksum:  3562302 1534d9cba1162456023d4bef69b786e0
    Size/MD5 checksum:   140878 5520c260080eb9c08bbd1708d36eaecd
    Size/MD5 checksum:  6590836 c632ce21a2a5fd4257283ff7cf32bef4
    Size/MD5 checksum:    78612 353db3ef38a240bb039c550c33616610
    Size/MD5 checksum:   348080 1f8dd3a001b62aabbce52ded83717f77

ia64 architecture (Intel ia64)
    Size/MD5 checksum:   538866 a0fc35488ffb492956c1b2602f3332fa
    Size/MD5 checksum:   179534 c70d0f8e437de971416dd66af25ecffd
    Size/MD5 checksum:   222276 45cc6e76a2aae05706272ab4f0b2b9ef
    Size/MD5 checksum:    75556 e70c1001ce1cba88bcd2970e271af0ff
    Size/MD5 checksum:   121026 828e0e511c559d05c40c88171bd03aff
    Size/MD5 checksum: 11282130 23f4515cf3fb9ea5af74da10235236ee
    Size/MD5 checksum: 49618524 635a2adbe4c8c0723e2f3e598c172872
    Size/MD5 checksum:  3393098 3348f2fda7f048257b66b9b1934c955b
    Size/MD5 checksum:   809114 78ae7bcb24e0b8710336fb170d82e90e

mips architecture (MIPS (Big Endian))
    Size/MD5 checksum:   144800 6b1d8b5d6844b88a87c6f0d64fd3a5cc
    Size/MD5 checksum:   222288 42ff24ac5979ebccbfeeec2409a18efd
    Size/MD5 checksum: 51798468 200dcac5fb819d0093740d8b528c20a5
    Size/MD5 checksum:   914892 24a8f94d6576adfaf8219489667e9349
    Size/MD5 checksum:   377492 3da9e13727df30690dab740c3a11a4f1
    Size/MD5 checksum:    96578 72d433b5b9755ead0e9519140b7e4c17
    Size/MD5 checksum:  7635294 eab0a84b74f7a707722e6b593fa7fe45
    Size/MD5 checksum:  3303462 e35a5582f64f0b03baaf34344766286d
    Size/MD5 checksum:    69138 c0a61b85fd08547ef785f1ab664fc272

mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:   222290 5d4e1c8a7defd4812f1cdc90c3376b79
    Size/MD5 checksum:  7366384 daadd45a701ee1372b13d04c479e8945
    Size/MD5 checksum:   896196 bb30cfb8930a0f56f007779a114d8cce
    Size/MD5 checksum:   144512 d9b0d61807107a8d6b6b9cd88ac78f2d
    Size/MD5 checksum:    96276 fdbf9354e6a7f13ffbdc15631425bedc
    Size/MD5 checksum: 49922418 08204077c0e28e67e8126b0a08bb5cfa
    Size/MD5 checksum:  3304646 31bdebd6c18527ac71407f9ffab254b9
    Size/MD5 checksum:   375296 2cff3b541b78c45eac1374b486f3185a
    Size/MD5 checksum:    69060 d8b85f76f874fcfba60dbdf88dfa1ba9

powerpc architecture (PowerPC)
    Size/MD5 checksum:   885826 cd7a75d90beeedc19ed56cab418f9229
    Size/MD5 checksum:   359694 1a4bd1074a8d9e02af3d3e4ca6b6e184
    Size/MD5 checksum:  3576628 487af4934c26c9607f2c973211f9e893
    Size/MD5 checksum:  7282378 37d983a3b8ac149e3425f196a0a76cee
    Size/MD5 checksum:   222610 ed41ecc9d50a8e8cdb97f07c02d40635
    Size/MD5 checksum:    72514 cc2a157ba460b58ecb6d4bb1645463b0
    Size/MD5 checksum:    94214 4d9018798582ddf501e7e96fbb1cb52f
    Size/MD5 checksum: 51342054 ff91b365569570f23bdc050ef1b10aab
    Size/MD5 checksum:   152434 5de3549eb40701dcf4280395a9d46ef6

s390 architecture (IBM S/390)
    Size/MD5 checksum:   222272 7520554f059b97d8107a70b9cb4c7d23
    Size/MD5 checksum:  3302468 4c4f9963496b1e03307c049d4d0c8d71
    Size/MD5 checksum:  8375790 f83467abcb35b7f21e36ae4dccfd2894
    Size/MD5 checksum:   404194 939a4ac485c2889a8d8cefc01b099c3c
    Size/MD5 checksum:   155590 ec7601e7165fb077dc49ad5106ccbbe8
    Size/MD5 checksum:   105062 d39129d6b2734ac40116873346998598
    Size/MD5 checksum: 51124872 12297ecc689f3b5271c83e741ec88f0b
    Size/MD5 checksum:   906520 aae8f82cb27c09cb33ed382c38c369fc
    Size/MD5 checksum:    72060 1d46777a0678c4e3e5d8fd2643109325

sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:    83282 3acccfab973fea6f2b78d9943c771b97
    Size/MD5 checksum:   819016 51ece19aac73ae8ca1f6bd17334267ba
    Size/MD5 checksum:   143104 c80a213a549b2720b5aa257c590487dd
    Size/MD5 checksum: 49311996 719762824e3ea8e87311872457dbe714
    Size/MD5 checksum:  3573006 993e514fcf0bbea88f945b12ced5677c
    Size/MD5 checksum:    69290 2f1e603498b14c1ff42a7b7dad8896b7
    Size/MD5 checksum:  7160766 f33069ea4089317a616f12fbe1a4bbd0
    Size/MD5 checksum:   222422 225e2f431d1ca2358737199b383b065d
    Size/MD5 checksum:   347584 5cfa8a467e38c4fdfbaa941da15ef737

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
Package info: `apt-cache show ' and

LinuxSecurity Poll

How frequently do you patch/update your system?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum 0 answer(s) and maximum 3 answer(s).
[{"id":"179","title":"As soon as patches\/updates are released - I track advisories for my distro(s) diligently","votes":"47","type":"x","order":"1","pct":79.66,"resources":[]},{"id":"180","title":"Every so often, when I think of it","votes":"7","type":"x","order":"2","pct":11.86,"resources":[]},{"id":"181","title":"Hardly ever","votes":"5","type":"x","order":"3","pct":8.47,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

Please vote first in order to view vote results.



bottom 200

Please enable / Bitte aktiviere JavaScript!
Veuillez activer / Por favor activa el Javascript![ ? ]

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.