Debian: New Mozilla Firefox packages fix several vulnerabilities

    Date22 Jul 2006
    CategoryDebian
    3582
    Posted ByLinuxSecurity Advisories
    Updated package.
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 1120-1                    This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                             Martin Schulze
    July 23rd, 2006                         http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : mozilla-firefox
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE IDs        : CVE-2006-1942 CVE-2006-2775 CVE-2006-2776 CVE-2006-2777
                     CVE-2006-2778 CVE-2006-2779 CVE-2006-2780 CVE-2006-2782
                     CVE-2006-2783 CVE-2006-2784 CVE-2006-2785 CVE-2006-2786
                     CVE-2006-2787
    CERT advisories: VU#237257 VU#243153 VU#421529 VU#466673 VU#575969
    BugTraq ID     : 18228
    
    Several security related problems have been discovered in Mozilla.
    The Common Vulnerabilities and Exposures project identifies the
    following vulnerabilities:
    
    CVE-2006-1942
    
        Eric Foley discovered that a user can be tricked to expose a local
        file to a remote attacker by displaying a local file as image in
        connection with other vulnerabilities.  [MFSA-2006-39]
    
    CVE-2006-2775
    
        XUL attributes are associated with the wrong URL under certain
        circumstances, which might allow remote attackers to bypass
        restrictions.  [MFSA-2006-35]
    
    CVE-2006-2776
    
        Paul Nickerson discovered that content-defined setters on an
        object prototype were getting called by privileged user interface
        code, and "moz_bug_r_a4" demonstrated that the higher privilege
        level could be passed along to the content-defined attack code.
        [MFSA-2006-37]
    
    CVE-2006-2777
    
        A vulnerability allows remote attackers to execute arbitrary code
        and create notifications that are executed in a privileged
        context.  [MFSA-2006-43]
    
    CVE-2006-2778
    
        Mikolaj Habryn a buffer overflow in the crypto.signText function
        that allows remote attackers to execute arbitrary code via certain
        optional Certificate Authority name arguments.  [MFSA-2006-38]
    
    CVE-2006-2779
    
        Mozilla team members discovered several crashes during testing of
        the browser engine showing evidence of memory corruption which may
        also lead to the execution of arbitrary code.  This problem has
        only partially been corrected.  [MFSA-2006-32]
    
    CVE-2006-2780
    
        An integer overflow allows remote attackers to cause a denial of
        service and may permit the execution of arbitrary code.
        [MFSA-2006-32]
    
    CVE-2006-2782
    
        Chuck McAuley discovered that a text input box can be pre-filled
        with a filename and then turned into a file-upload control,
        allowing a malicious website to steal any local file whose name
        they can guess.  [MFSA-2006-41, MFSA-2006-23, CVE-2006-1729]
    
    CVE-2006-2783
    
        Masatoshi Kimura discovered that the Unicode Byte-order-Mark (BOM)
        is stripped from UTF-8 pages during the conversion to Unicode
        before the parser sees the web page, which allows remote attackers
        to conduct cross-site scripting (XSS) attacks.  [MFSA-2006-42]
    
    CVE-2006-2784
    
        Paul Nickerson discovered that the fix for CAN-2005-0752 can be
        bypassed using nested javascript: URLs, allowing the attacker to
        execute privileged code.  [MFSA-2005-34, MFSA-2006-36]
    
    CVE-2006-2785
    
        Paul Nickerson demonstrated that if an attacker could convince a
        user to right-click on a broken image and choose "View Image" from
        the context menu then he could get JavaScript to
        run.  [MFSA-2006-34]
    
    CVE-2006-2786
    
        Kazuho Oku discovered that Mozilla's lenient handling of HTTP
        header syntax may allow remote attackers to trick the browser to
        interpret certain responses as if they were responses from two
        different sites.  [MFSA-2006-33]
    
    CVE-2006-2787
    
        The Mozilla researcher "moz_bug_r_a4" discovered that JavaScript
        run via EvalInSandbox can escape the sandbox and gain elevated
        privilege.  [MFSA-2006-31]
    
    For the stable distribution (sarge) these problems have been fixed in
    version 1.0.4-2sarge9.
    
    For the unstable distribution (sid) these problems have been fixed in
    version 1.5.dfsg+1.5.0.4-1.
    
    We recommend that you upgrade your Mozilla Firefox packages.
    
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given at the end of this advisory:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.1 alias sarge
    - --------------------------------
    
      Source archives:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9.dsc
          Size/MD5 checksum:     1001 21424c5ba440f16f6abea37711d66aa9
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9.diff.gz
          Size/MD5 checksum:   398646 2eff76a21650ad05f52b5fdf73bd3f7e
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
          Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d
    
      Alpha architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_alpha.deb
          Size/MD5 checksum: 11173304 3a940907dc9761c8f509bb4c985db436
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_alpha.deb
          Size/MD5 checksum:   169032 05d7a00140abdf880b41c4fa28114068
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_alpha.deb
          Size/MD5 checksum:    60866 de85fa33566f2fbfcc86501ee62b2a1b
    
      AMD64 architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_amd64.deb
          Size/MD5 checksum:  9401816 963bc07e9bad81b56674d2e87fcc2074
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_amd64.deb
          Size/MD5 checksum:   163774 782e55322d790e206be62b7c973cf4ee
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_amd64.deb
          Size/MD5 checksum:    59390 62063c4dc7dfb9dd977b2a019bd37946
    
      ARM architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_arm.deb
          Size/MD5 checksum:  8223298 0a3854d01bb66b8251a6fd0f6f6acf1d
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_arm.deb
          Size/MD5 checksum:   155248 04b4755e60835717a7b5ed0025f00f0c
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_arm.deb
          Size/MD5 checksum:    54702 93f66e628ad9327de4ed14acdfec4395
    
      Intel IA-32 architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_i386.deb
          Size/MD5 checksum:  8899786 395567e782da4a1d6e0ef10367ba57cc
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_i386.deb
          Size/MD5 checksum:   159032 5225bca73b84ed3e8a1c4e06bdd6cd69
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_i386.deb
          Size/MD5 checksum:    56250 f8baa460416bd34c28e347b371c2ac72
    
      Intel IA-64 architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_ia64.deb
          Size/MD5 checksum: 11632562 3fc46e9c4a4575594c610c7ff85146ce
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_ia64.deb
          Size/MD5 checksum:   169362 aad3f6f89760080eca86f9988c690532
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_ia64.deb
          Size/MD5 checksum:    64062 0973673b6e56cc6d26db14a0170c4a1a
    
      HP Precision architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_hppa.deb
          Size/MD5 checksum: 10275134 dbdcf7d07ead3c046ec5a604922bd853
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_hppa.deb
          Size/MD5 checksum:   166732 ff51c0f78f3bb6ee011c85e850e67230
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_hppa.deb
          Size/MD5 checksum:    59840 856193bc316aecbcce4f88aae4404240
    
      Motorola 680x0 architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_m68k.deb
          Size/MD5 checksum:  8175302 d60841a0292077f4635ca9b68c45cd8a
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_m68k.deb
          Size/MD5 checksum:   157932 5559512572a0493c336f46e67dc6163d
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_m68k.deb
          Size/MD5 checksum:    55524 f04387c9e24e76965342227983327a03
    
      Big endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_mips.deb
          Size/MD5 checksum:  9932150 56eefc3ec8a8832645ec1316929f4411
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_mips.deb
          Size/MD5 checksum:   156774 696dca1ed57d6c13fd80bcd6fc4364cd
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_mips.deb
          Size/MD5 checksum:    56506 af7303ff23599cf25224df22f5b92e05
    
      Little endian MIPS architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_mipsel.deb
          Size/MD5 checksum:  9810314 3673c61e049c42c7ea21ed58e06b2acc
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_mipsel.deb
          Size/MD5 checksum:   156350 9d3f411c8372b54775ab5ba90c10d0da
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_mipsel.deb
          Size/MD5 checksum:    56336 ccc11bdf50a4b0809fe7ed2dbdf44006
    
      PowerPC architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_powerpc.deb
          Size/MD5 checksum:  8571660 cf198d98db5695e5c423c567ebfdba38
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_powerpc.deb
          Size/MD5 checksum:   157448 d96866bfc3e74f73d6cf4a3f71aa50cb
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_powerpc.deb
          Size/MD5 checksum:    58628 e3a6722463006bb379c9548318784af8
    
      IBM S/390 architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_s390.deb
          Size/MD5 checksum:  9641400 c935ca331cf22eab9f311fc65c69e227
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_s390.deb
          Size/MD5 checksum:   164392 342aeb1f6362565bac9cd8f9a34e6711
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_s390.deb
          Size/MD5 checksum:    58816 3199d08b5c64c05d4c9f3600fd1a9927
    
      Sun Sparc architecture:
    
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge9_sparc.deb
          Size/MD5 checksum:  8662210 a25db0f4ce57b47898d633b2512cd0b4
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge9_sparc.deb
          Size/MD5 checksum:   157632 5d0f66746bcbb48269e1e4e0efa71067
        http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge9_sparc.deb
          Size/MD5 checksum:    55062 99d09b78f6efa23c02d1e9076185f105
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"8","type":"x","order":"1","pct":61.54,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":23.08,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":15.38,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.