From martin.pitt@canonical.com Wed Apr 19 11:31:58 2006 From: Martin Pitt To: ubuntu-security-announce@lists.ubuntu.com Cc: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com Date: Wed, 19 Apr 2006 17:32:19 +0200 Subject: [Full-disclosure] [USN-271-1] Firefox vulnerabilities =========================================================== Ubuntu Security Notice USN-271-1 April 19, 2006 mozilla-firefox, firefox vulnerabilities CVE-2005-4134, CVE-2006-0292, CVE-2006-0296, CVE-2006-0749, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1736, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742, CVE-2006-1790 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: firefox mozilla-firefox The problem can be corrected by upgrading the affected package to version 1.0.8-0ubuntu4.10 (for Ubuntu 4.10), 1.0.8-0ubuntu5.04 (for Ubuntu 5.04), or 1.0.8-0ubuntu5.10 (for Ubuntu 5.10). After a standard system upgrade you need to restart Firefox to effect the necessary changes. Details follow: Web pages with extremely long titles caused subsequent launches of Firefox browser to hang for up to a few minutes, or caused Firefox to crash on computers with insufficient memory. (CVE-2005-4134) Igor Bukanov discovered that the JavaScript engine did not properly declare some temporary variables. Under some rare circumstances, a malicious website could exploit this to execute arbitrary code with the privileges of the user. (CVE-2006-0292, CVE-2006-1742) The function XULDocument.persist() did not sufficiently validate the names of attributes. An attacker could exploit this to inject arbitrary XML code into the file 'localstore.rdf', which is read and evaluated at startup. This could include JavaScript commands that would be run with the user's privileges. (CVE-2006-0296) Due to a flaw in the HTML tag parser a specific sequence of HTML tags caused memory corruption. A malicious web site could exploit this to crash the browser or even execute arbitrary code with the user's privileges. (CVE-2006-0749) Georgi Guninski discovered that embedded XBL scripts of web sites could escalate their (normally reduced) privileges to get full privileges of the user if that page is viewed with "Print Preview". (CVE-2006-1727) The crypto.generateCRMFRequest() function had a flaw which could be exploited to run arbitrary code with the user's privileges. (CVE-2006-1728) Claus Jørgensen and Jesse Ruderman discovered that a text input box could be pre-filled with a filename and then turned into a file-upload control with the contents intact. A malicious web site could exploit this to read any local file the user has read privileges for. (CVE-2006-1729) An integer overflow was detected in the handling of the CSS property "letter-spacing". A malicious web site could exploit this to run arbitrary code with the user's privileges. (CVE-2006-1730) The methods valueOf.call() and .valueOf.apply() returned an object whose privileges were not properly confined to those of the caller, which made them vulnerable to cross-site scripting attacks. A malicious web site could exploit this to modify the contents or steal confidential data (such as passwords) from other opened web pages. (CVE-2006-1731) The window.controllers array variable (CVE-2006-1732) and event handlers (CVE-2006-1741) were vulnerable to a similar attack. The privileged built-in XBL bindings were not fully protected from web content and could be accessed by calling valueOf.call() and valueOf.apply() on a method of that binding. A malicious web site could exploit this to run arbitrary JavaScript code with the user's privileges. (CVE-2006-1733) It was possible to use the Object.watch() method to access an internal function object (the "clone parent"). A malicious web site could exploit this to execute arbitrary JavaScript code with the user's privileges. (CVE-2006-1734) By calling the XBL.method.eval() method in a special way it was possible to create JavaScript functions that would get compiled with the wrong privileges. A malicious web site could exploit this to execute arbitrary JavaScript code with the user's privileges. (CVE-2006-1735) Michael Krax discovered that by layering a transparent image link to an executable on top of a visible (and presumably desirable) image a malicious site could fool the user to right-click and choose "Save image as..." from the context menu, which would download the executable instead of the image. (CVE-2006-1736) Several crashes have been fixed which could be triggered by web sites and involve memory corruption. These could potentially be exploited to execute arbitrary code with the user's privileges. (CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1790) If the user has turned on the "Entering secure site" modal warning dialog, it was possible to spoof the browser's secure-site indicators (the lock icon and the gold URL field background) by first loading the target secure site in a pop-up window, then changing its location to a different site, which retained the displayed secure-browsing indicators from the original site. (CVE-2006-1740) Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10.diff.gz Size/MD5: 235111 b2ebfed686a487adf1244307dfd266b9 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10.dsc Size/MD5: 987 c60705b0fd14c4ef6295d5ed001915d6 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8.orig.tar.gz Size/MD5: 41545571 74feb5a7af741bc5e24f1a622ce698c8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu4.10_amd64.deb Size/MD5: 148312 62c914a0e040677be53af936bb3a17ed http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10_amd64.deb Size/MD5: 10677328 ad7cf73fd3f546291a959ddd5ffc96e9 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu4.10_i386.deb Size/MD5: 143192 9e442b0a7c2f3cc9e456e6afea8d0c60 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10_i386.deb Size/MD5: 9850946 79d68b23803a61cb330b849b15068f54 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu4.10_powerpc.deb Size/MD5: 141946 342abccbb3fa9cdd70495d7b8395eac2 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu4.10_powerpc.deb Size/MD5: 9507830 0d44cda71daf7d14725daf34d6cfc175 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04.diff.gz Size/MD5: 804535 00b1fc4d98dfa001442144c8d7745572 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04.dsc Size/MD5: 1060 a3c93f7d8fa6ce8dcd91aa2151a5f005 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8.orig.tar.gz Size/MD5: 41545571 74feb5a7af741bc5e24f1a622ce698c8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.04_amd64.deb Size/MD5: 2633684 1ff190c377531df8542e3b02560d4536 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu5.04_amd64.deb Size/MD5: 158486 604e2a6d94958224debffabf5d03a702 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.8-0ubuntu5.04_amd64.deb Size/MD5: 57812 8fb2a4a30727c03d5aa8016fbd4d38e7 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04_amd64.deb Size/MD5: 9771928 d438cbb1c473650c70f9b3b58e1b7613 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.04_i386.deb Size/MD5: 2633766 92c92229157c7549ad186cdf0e0c8733 http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu5.04_i386.deb Size/MD5: 153396 9d6b58b4ae7a631e1799f3c4bbe55db8 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.8-0ubuntu5.04_i386.deb Size/MD5: 54368 8dbd371b16cac675aa57ba815c97cdd1 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04_i386.deb Size/MD5: 8811088 2d2d0ff095a8e0f2bcc247cc8163faf4 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.04_powerpc.deb Size/MD5: 2633816 7548fe24b857258efe6670286676175b http://security.ubuntu.com/ubuntu/pool/universe/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.8-0ubuntu5.04_powerpc.deb Size/MD5: 152158 14b412512616688e2dcb85e121a91c95 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.8-0ubuntu5.04_powerpc.deb Size/MD5: 56994 c74044c7e7900c36ca55ac10f029a451 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-firefox/mozilla-firefox_1.0.8-0ubuntu5.04_powerpc.deb Size/MD5: 8467096 1dd31ba1f4e37e3c6e7897f406f12598 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.0.8-0ubuntu5.10.diff.gz Size/MD5: 835820 3d772aa08cb9de34e762ba49a24c4284 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.0.8-0ubuntu5.10.dsc Size/MD5: 994 fcf2db5ad6832da949ef1f71482bc8d9 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.0.8.orig.tar.gz Size/MD5: 41545571 74feb5a7af741bc5e24f1a622ce698c8 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.0.8-0ubuntu5.10_all.deb Size/MD5: 38558 bc004ea12dc5004b9f26778201e09f8d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.0.8-0ubuntu5.10_all.deb Size/MD5: 38556 6227eefa4309c2ec1d3c54923e5abd0d amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.0.8-0ubuntu5.10_amd64.deb Size/MD5: 2634278 cff91adda22099360cf518da9b7ee186 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.0.8-0ubuntu5.10_amd64.deb Size/MD5: 160646 5c34e657817242b4a9efa7308f78c257 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.0.8-0ubuntu5.10_amd64.deb Size/MD5: 77490 6a9ad84be837686547ec8e49a4165e20 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.0.8-0ubuntu5.10_amd64.deb Size/MD5: 9922114 e5b0ec7267bd9f2c07be238f20773c58 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.0.8-0ubuntu5.10_i386.deb Size/MD5: 2634250 b234de52409b3c358b75678e40399035 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.0.8-0ubuntu5.10_i386.deb Size/MD5: 153868 bc273cbad73071f2fd6f077d31ee0ba3 http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.0.8-0ubuntu5.10_i386.deb Size/MD5: 69988 cbfb699307a6a8fb8b30de427329d77b http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.0.8-0ubuntu5.10_i386.deb Size/MD5: 8469524 ade9477dd6a0de72e025dde686b1719e powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.0.8-0ubuntu5.10_powerpc.deb Size/MD5: 2634298 5d7da09c807c39e7dfd5eb32b9944b85 http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.0.8-0ubuntu5.10_powerpc.deb Size/MD5: 153894 514e1da7d177b865db4ecb45ed8b07dc http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.0.8-0ubuntu5.10_powerpc.deb Size/MD5: 75182 2cac974d914d112d13ff9611512f7a7d http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.0.8-0ubuntu5.10_powerpc.deb Size/MD5: 8602522 fcc3cb9722c48441bb8218140b8720ea [ Part 1.2, "Digital signature" Application/PGP-SIGNATURE ] [ 198bytes. ] [ Unable to print this part. ] [ Part 2: "Attached Text" ] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/