DSA 1956-1: New xulrunner packages fix several vulnerabilities  

Posted by Daniela Mehler

"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1956-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
December 16, 2009 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : xulrunner
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-3986 CVE-2009-3985 CVE-2009-3984 CVE-2009-3983 CVE-2009-3981 CVE-2009-3979

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-3986:

David James discovered that the window.opener property allows Chrome
privilege escalation.

CVE-2009-3985:

Jordi Chanel discovered a spoofing vulnerability of the URL location bar
using the document.location property.

CVE-2009-3984:

Jonathan Morgan discovered that the icon indicating a secure connection
could be spoofed through the document.location property.

CVE-2009-3983:

Takehiro Takahashi discovered that the NTLM implementaion is vulnerable
to reflection attacks.

CVE-2009-3981:

Jesse Ruderman discovered a crash in the layout engine, which might allow
the execution of arbitrary code.

CVE-2009-3979:

Jesse Ruderman, Josh Soref, Martijn Wargers, Jose Angel and Olli Pettay
discovered crashes in the layout engine, which might allow the execution
of arbitrary code.

For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.16-1.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.1.6-1.

We recommend that you upgrade your xulrunner packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Stable updates are available for alpha, amd64, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16-1.dsc
Size/MD5 checksum: 1755 661a7213945541c3aff7c1225f4a4e4b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16.orig.tar.gz
Size/MD5 checksum: 44158276 49eccba737701abfd9f0405dc91fb848
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner_1.9.0.16-1.diff.gz
Size/MD5 checksum: 116218 6d5380e0a12ea65cbfa98059641c5b1b

Architecture independent packages:

http://security.debian.org/pool/updates/main/x/xulrunner/libmozillainterfaces-java_1.9.0.16-1_all.deb
Size/MD5 checksum: 1464570 40a5ae6f705fe11bb244e039804233ea

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 51094414 36f539011a5ee228fae0195020709cc7
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 432242 c5110bdb4836a6e20a9b9b8e6959c1e9
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 9494198 0139dd56d61b77e77316ab24937df305
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 938424 b52ef8d6a5671df01a179e42379af747
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 72044 2fe658f8d17e1547d7c18d7e382b1c02
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 163948 ee725d4c448ebf6d3c3def1ec0302e8a
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 3651674 4f728529795d19de42ee07c1a994d84e
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 221628 578247ecd3b3c21230b272fe446c85b8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_alpha.deb
Size/MD5 checksum: 112068 52292e961eea13ac499f0923f8f56afe

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 3288346 c4994fb96c217a3d16d718b919c5488a
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 151976 db96efb00277b2eae199c26b99ea043e
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 69948 db7a93f30248ee123430c0ec8fc51388
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 101544 804243e7ed5e3fadb407f16d9d78f081
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 890384 5dfe153e3eafca3a3590d44692088152
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 374232 dfee7250cbe693362d58228d815b17a1
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 50332174 0c1988f9cff6d4718d0965f6fe2ca00c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 7724684 2ece5643c14ae34a0270d1bb740d0190
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_amd64.deb
Size/MD5 checksum: 223014 368b9f81b97bedfd51ea46cef4bfed9c

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 223372 f14b9641604130cbd1316684ce80eea4
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 72040 cee4430fd91f516a3a6b64a851cba9d1
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 898940 adc9f60d3478ac3efac390b54f758c08
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 413076 fa0451857abe00213b1c2fdbbeeb9216
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 158510 c33508922abba00e2db82b4330cfe556
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 51227746 215c15bee82bd5ee69c1603c93e47c74
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 3629732 24ae38db87e085986b45cbfbf51596b5
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 106760 9d9f796627813bf63d3d59cbc80cae94
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_hppa.deb
Size/MD5 checksum: 9512538 053e525101326d09b2b302090b172496

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_i386.deb
Size/MD5 checksum: 6603188 5a7d3778788b71f3214ed981d2158481
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_i386.deb
Size/MD5 checksum: 141452 0281b88b7c5efcd28e70283d9083a78c
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_i386.deb
Size/MD5 checksum: 350878 d2977664d676cf868f1945c7949ff91b
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_i386.deb
Size/MD5 checksum: 3565586 3a069b19bc73d53ace1bd816412b4672
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_i386.deb
Size/MD5 checksum: 851826 a7b7b5596d788b006125e1af9f50b9e2
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_i386.deb
Size/MD5 checksum: 223270 46166eab3e8d094223f19cf7024f00f5
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_i386.deb
Size/MD5 checksum: 49496458 37d985ecce882e81a20e797ad1ea3618
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_i386.deb
Size/MD5 checksum: 68158 8b79e51fcd2e87aba9db39b000027e5f
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_i386.deb
Size/MD5 checksum: 79204 52f55479a92095e5e410680a64c35a69

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 223178 56b4d13963a5417365ac98e7cb68f9c2
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 180234 118576ab26bd4bc6e98a32574d30aa21
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 76530 5d78eca360e0d75cb28ca38fed899d91
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 811202 72192683bea462cc1f5f672c7988d9e9
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 121554 ac350b3e945c3d6b619d07f099af37ce
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 3397796 8d200fb548f982d0752ade5d0c28f593
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 49671280 16b4ad4e4ab3f9eab9ff83baf69e098f
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 11302800 b071e5b863130a778ab494c853617ca6
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_ia64.deb
Size/MD5 checksum: 542146 141726b2753b7921fed58c5ffba4c2df

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_mips.deb
Size/MD5 checksum: 918282 528a68827030f8761ab114e74fafc1e4
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_mips.deb
Size/MD5 checksum: 3308002 bf1f6036812f8848332a98197b46e8ac
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_mips.deb
Size/MD5 checksum: 223192 2c1f794ad7ff07396a5290c0fb39885d
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_mips.deb
Size/MD5 checksum: 97104 2bdf01e5ce9380788078e3da3dce886a
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_mips.deb
Size/MD5 checksum: 69950 5e7d343695b4b895020e7346daf6dad8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_mips.deb
Size/MD5 checksum: 51850028 8d341a8e7ef18c24778b61ae228dfcd7
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_mips.deb
Size/MD5 checksum: 380128 d1394d5bbc20bb7822aede419206733d
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_mips.deb
Size/MD5 checksum: 145388 263d12d202370293e8eb3b4c5374365d
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_mips.deb
Size/MD5 checksum: 7649668 6d6cf7e6a00da066b8e5fbdeba9d61ed

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 145050 ebdb58e0370aef9bef4ebf5f2736f4ad
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 223200 caf058f99c969d46b9a7a40f0d0e3fc8
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 7375656 83fea69a0f228bdd1f346cae0e4fce83
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 3309390 02be3ae69ff0bb0e74511c90e65ee397
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 900198 c47c7a1172694e5bba824f8d8f0da98e
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 49967230 1aa11add1436ac50da0e7098b7858fcf
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 96810 d1d70a9ac6cd40722fd448822bb41d42
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 69892 1b8c2bd977102cfa5e84e227fbb95324
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_mipsel.deb
Size/MD5 checksum: 378640 18bf07b633c1eaa5a6766e0043491e1d

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 223186 a98c3d606008370b58426e68aa1d74eb
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 73036 420365b25bd6586f30ad15a532b7f711
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 3283746 eb8cd1cc29aad06c45f912b39dd1d35c
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 7276356 1ff0a306c07d06af8692c569e65e4370
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 887834 00ddf03b5858a38abb4c1268e14b8deb
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 362562 403794ddb64118af431bae437aa83f55
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 94824 68a744cc480c2bb91e5fccd0bbe2b8f7
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 51392064 99becd6b3e9926f6b9ad06d35273bb96
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_powerpc.deb
Size/MD5 checksum: 152322 5496044d62fc184a0207d8a1f7b16528

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_s390.deb
Size/MD5 checksum: 105586 a049e14abd47bd52222d230d0ab5a779
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_s390.deb
Size/MD5 checksum: 406744 93ef047be735be315259b074218e86d7
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_s390.deb
Size/MD5 checksum: 8389742 4eb282c84e3c7e9f152e4039517d1937
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_s390.deb
Size/MD5 checksum: 223184 7286a158dab58e76054ed3af5ec04a09
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_s390.deb
Size/MD5 checksum: 909268 db230812204f07871e429bd7905ec502
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_s390.deb
Size/MD5 checksum: 72922 3c5bedcaba5e9ea016983a0f00f54f7c
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_s390.deb
Size/MD5 checksum: 156154 3b6f6e83b5019f2b85ede8d18e7bb108
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_s390.deb
Size/MD5 checksum: 3306442 8c65f811bc4738b29e2b380e278cacc4
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_s390.deb
Size/MD5 checksum: 51168676 4707184c455836b99d06075a06776866

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-gnome-support_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 88242 41d0bc936d44d0ae634785b40612c795
http://security.debian.org/pool/updates/main/x/xulrunner/python-xpcom_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 143282 658b3bbe4a734b9b1b17d7427d61baec
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9-dbg_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 49355150 e2f70f19c1e526dc0bd2b324d25476e8
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 350094 0dcf1d199dabaa5207adfd370f391592
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-dev_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 3577426 9c84a634aacd4ec64592ca24f5bec695
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs-dev_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 223282 4ca30dc0fc7989ee4045df25fa3df454
http://security.debian.org/pool/updates/main/x/xulrunner/xulrunner-1.9_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 7175610 7ed182660d5e25fd16ffd5e65e3af587
http://security.debian.org/pool/updates/main/x/xulrunner/libmozjs1d-dbg_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 821316 6fc3418c8abe57536e00b579970efaf9
http://security.debian.org/pool/updates/main/x/xulrunner/spidermonkey-bin_1.9.0.16-1_sparc.deb
Size/MD5 checksum: 69406 9a525e6314a592841214dc2c77186c8c


These files will probably be moved into the stable distribution on
its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show ' and http://packages.debian.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkspTZ4ACgkQXm3vHE4uylrm8wCfVKheMHLpLTHd3MeFZGq6y80P
BvcAniuJBQ2nKpm36u5nv+fxdnsn1RbL
=aJ2S
-----END PGP SIGNATURE-----
"

This entry was posted on 4:49 AM .