Ubuntu: Firefox and xulrunner regression

    Date 25 Sep 2008
    2955
    Posted By LinuxSecurity Advisories
    USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The upstream patches introduced a regression in the saved password handling. While password data was not lost, if a user had saved any passwords with non-ASCII characters, Firefox could not access the password database. This update fixes the problem.
    =========================================================== 
    Ubuntu Security Notice USN-645-3         September 25, 2008
    firefox-3.0, xulrunner-1.9 regression
    https://launchpad.net/bugs/270429
    ===========================================================
    
    A security issue affects the following Ubuntu releases:
    
    Ubuntu 8.04 LTS
    
    This advisory also applies to the corresponding versions of
    Kubuntu, Edubuntu, and Xubuntu.
    
    The problem can be corrected by upgrading your system to the
    following package versions:
    
    Ubuntu 8.04 LTS:
      firefox                         3.0.3+build1+nobinonly-0ubuntu0.8.04.1
      xulrunner-1.9                   1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1
    
    After a standard system upgrade you need to restart Firefox and any
    applications that use xulrunner, such as Epiphany, to effect the
    necessary changes.
    
    Details follow:
    
    USN-645-1 fixed vulnerabilities in Firefox and xulrunner. The upstream
    patches introduced a regression in the saved password handling. While
    password data was not lost, if a user had saved any passwords with
    non-ASCII characters, Firefox could not access the password database.
    This update fixes the problem.
    
    We apologize for the inconvenience.
    
    Original advisory details:
    
     Justin Schuh, Tom Cross and Peter Williams discovered errors in the
     Firefox URL parsing routines. If a user were tricked into opening a
     crafted hyperlink, an attacker could overflow a stack buffer and
     execute arbitrary code. (CVE-2008-0016)
     
     It was discovered that the same-origin check in Firefox could be
     bypassed. If a user were tricked into opening a malicious website,
     an attacker may be able to execute JavaScript in the context of a
     different website. (CVE-2008-3835)
     
     Several problems were discovered in the JavaScript engine. This
     could allow an attacker to execute scripts from page content with
     chrome privileges. (CVE-2008-3836)
     
     Paul Nickerson discovered Firefox did not properly process mouse
     click events. If a user were tricked into opening a malicious web
     page, an attacker could move the content window, which could
     potentially be used to force a user to perform unintended drag and
     drop operations. (CVE-2008-3837)
     
     Several problems were discovered in the browser engine. This could
     allow an attacker to execute code with chrome privileges.
     (CVE-2008-4058, CVE-2008-4059, CVE-2008-4060)
     
     Drew Yao, David Maciejak and other Mozilla developers found several
     problems in the browser engine of Firefox. If a user were tricked
     into opening a malicious web page, an attacker could cause a denial
     of service or possibly execute arbitrary code with the privileges
     of the user invoking the program. (CVE-2008-4061, CVE-2008-4062,
     CVE-2008-4063, CVE-2008-4064)
     
     Dave Reed discovered a flaw in the JavaScript parsing code when
     processing certain BOM characters. An attacker could exploit this
     to bypass script filters and perform cross-site scripting attacks.
     (CVE-2008-4065)
     
     Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
     user were tricked into opening a malicious web page, an attacker
     could bypass script filtering and perform cross-site scripting
     attacks. (CVE-2008-4066)
     
     Boris Zbarsky and Georgi Guninski independently discovered flaws in
     the resource: protocol. An attacker could exploit this to perform
     directory traversal, read information about the system, and prompt
     the user to save information in a file. (CVE-2008-4067,
     CVE-2008-4068)
     
     Billy Hoffman discovered a problem in the XBM decoder. If a user were
     tricked into opening a malicious web page or XBM file, an attacker
     may be able to cause a denial of service via application crash.
     (CVE-2008-4069)
    
    
    Updated packages for Ubuntu 8.04 LTS:
    
      Source archives:
    
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1.diff.gz
          Size/MD5:   105898 8e9d91766d1673d85b4e2e60f09ffbb6
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1.dsc
          Size/MD5:     2760 57a929804f986040bc7227fe3009156c
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly.orig.tar.gz
          Size/MD5: 11573662 bcf09e18019b2f2cbb8517932c891485
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1.diff.gz
          Size/MD5:    77467 f5a62ff3d325e95c5120cc22bda2d554
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1.dsc
          Size/MD5:     2825 ab55f7ea35f9ee735528805831854977
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly.orig.tar.gz
          Size/MD5: 40164202 72a5e40dda74d050021677f1b3ebabcc
    
      Architecture independent packages:
    
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65954 3f06a1b75554d1d2340afc44b78022ac
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65968 6d8a8e29f0a7c87d2c8f179f574d7aa6
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-granparadiso-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65924 3ac2f3dfa932bdc940950c0a894b9080
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-trunk-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65912 e9e9a4746bec14f42b2450bea8225057
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    66064 6775e8fa75a92e1f33cc8ae5bb7f9e8a
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-dom-inspector_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65974 751dd3d6688c6639e9d0ec0da761cc5c
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-3.0-venkman_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65924 cfb57e23eb08498e16a6bbef2ca4238e
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-dom-inspector_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:     8974 25f83a796d3169788d39ea68cd8635c6
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso-dom-inspector_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:     8962 01cc668f88c84f91e2fd886d42d92f13
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65948 c4718d66cfe19443c59978f4e39e7e41
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-granparadiso_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65914 71f6cddfc729e4018eefe95c79efd9df
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-libthai_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65906 97334f76bbbd654157c7c5aabf7e31c6
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-dom-inspector_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:     8946 f9d779ba38a6e7732ad71bb751523a7a
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65936 4fa1a2d88890b85d3bce5cb045ec792b
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk-venkman_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:     8936 700210f41bc608472f4fe88615dab81f
        https://security.ubuntu.com/ubuntu/pool/universe/f/firefox-3.0/firefox-trunk_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:    65902 d907072601c66ad491d706566c2824de
        https://security.ubuntu.com/ubuntu/pool/universe/x/xulrunner-1.9/xulrunner-1.9-dom-inspector_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:   125194 abdbdf7f8a7597a88c60af6d98ad3be3
        https://security.ubuntu.com/ubuntu/pool/universe/x/xulrunner-1.9/xulrunner-1.9-venkman_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_all.deb
          Size/MD5:   235304 8c3f950ba19f57700fb82918f343bed3
    
      amd64 architecture (Athlon64, Opteron, EM64T Xeon):
    
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
          Size/MD5:     9028 45557a5d8f43797bebb0ee77783bdc87
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
          Size/MD5:    29576 78c9677804c24f5b6d95e0eb6c7a7f38
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
          Size/MD5:  1086672 7399df1205d00bd6124d03fc63cf6592
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
          Size/MD5:  4035336 eaff46064356cea1e966ab221e45eb30
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
          Size/MD5:    48656 41dc8e708b4972e61b2e12ab54c0c4fc
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_amd64.deb
          Size/MD5:  9031700 f608db020679c1a062deaf017d5defd2
    
      i386 architecture (x86 compatible Intel/AMD):
    
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
          Size/MD5:     9028 a8fd22201b420b5b0fa11fab1c9466d3
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
          Size/MD5:    25726 823066888e006035bbe5f1eb790eccfa
        https://security.ubuntu.com/ubuntu/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
          Size/MD5:  1065018 32827a47e8cd521d89391879a3d84d5c
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
          Size/MD5:  4016914 4285536cc152b65fa881946890b44185
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
          Size/MD5:    38514 04869df4ca726ad6c59d2e43383bf4f6
        https://security.ubuntu.com/ubuntu/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_i386.deb
          Size/MD5:  7763786 685dc1eb5dce09d60c56ffa1c059735b
    
      lpia architecture (Low Power Intel Architecture):
    
        https://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
          Size/MD5:     9028 2de0d8feb75644816867deec8668ec34
        https://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
          Size/MD5:    25342 5e70051d1c36fa4115ad1b569a57b290
        https://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
          Size/MD5:  1063126 4e9a3f4c3adaacb731b9d715e38fd3e2
        https://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
          Size/MD5:  4012342 92f97468c8260b9980d348024b3b6971
        https://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
          Size/MD5:    37610 88681831e70f2c7ab81da01928fcf09f
        https://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_lpia.deb
          Size/MD5:  7650950 80ab78a657265b9cad8ec759ac8864e9
    
      powerpc architecture (Apple Macintosh G3/G4/G5):
    
        https://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-dev_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
          Size/MD5:     9026 c90a944ecbc4366a54001c769d29e35b
        https://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0-gnome-support_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
          Size/MD5:    27502 d140872135657f26a214585501d48c8c
        https://ports.ubuntu.com/pool/main/f/firefox-3.0/firefox-3.0_3.0.3+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
          Size/MD5:  1079210 2594afd5cad19bc4bee8f0bad4483c5c
        https://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-dev_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
          Size/MD5:  4023426 cb239f374f28f6b90ae9289240acf871
        https://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9-gnome-support_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
          Size/MD5:    43686 d176b974055a33ede0065b4c9f2047fd
        https://ports.ubuntu.com/pool/main/x/xulrunner-1.9/xulrunner-1.9_1.9.0.3+build1+nobinonly-0ubuntu0.8.04.1_powerpc.deb
          Size/MD5:  8609908 8e66fdbd3106ee310b9e8591d5fc35ad
    
    
    
    --Fba/0zbH8Xs+Fj9o
    Content-Type: application/pgp-signature; name="signature.asc"
    Content-Description: Digital signature
    Content-Disposition: inline
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    
    iD8DBQFI29kjW0JvuRdL8BoRAkXfAKCfhJfZscIqOOc2vRx0MxXxzznO4wCePwxU
    +im4TJCKqO3mDNtpkmtZLsw=uAlq
    -----END PGP SIGNATURE-----
    
    --Fba/0zbH8Xs+Fj9o--
    
    
    --==============w51258102108683811=Content-Type: text/plain; charset="us-ascii"
    MIME-Version: 1.0
    Content-Transfer-Encoding: 7bit
    Content-Disposition: inline
    
    --
    ubuntu-security-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce
    
    --==============w51258102108683811==--
    

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/30-do-you-feel-that-the-lawful-access-to-encrypted-data-act-which-aims-to-force-encryption-backdoors-is-a-threat-to-privacy?task=poll.vote&format=json
    30
    radio
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"19","type":"x","order":"1","pct":95,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"1","type":"x","order":"2","pct":5,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.