[Backports-security-announce] Security Update for xulrunner

Alexander Reichle-Schmehl uploaded new packages for xulrunner which fixed the
following security problems:

CVE-2010-1211

Mozilla developers identified and fixed several memory safety bugs in
the browser engine used in Firefox and other Mozilla-based products.
Some of these bugs showed evidence of memory corruption under certain
circumstances, and we presume that with enough effort at least some of
these could be exploited to run arbitrary code.

CVE-2010-1208

Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in the DOM attribute cloning routine where under
certain circumstances an event attribute node can be deleted while
another object still contains a reference to it. This reference
could subsequently be accessed, potentially causing the execution
of attacker controlled memory.

CVE-2010-1209

Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an error in Mozilla's implementation of NodeIterator in
which a malicious NodeFilter could be created which would detach
nodes from the DOM tree while it was being traversed. The use of
a detached and subsequently deleted node could result in the
execution of attacker-controlled memory.

CVE-2010-1214

Security researcher J23 reported via TippingPoint's Zero Day
Initiative an error in the code used to store the names and values of
plugin parameter elements. A malicious page could embed plugin content
containing a very large number of parameter elements which would cause
an overflow in the integer value counting them. This integer is later
used in allocating a memory buffer used to store the plugin parameters.
Under such conditions, too small a buffer would be created and
attacker-controlled data could be written past the end of the buffer,
potentially resulting in code execution.

CVE-2010-2752

Security researcher J23 reported via TippingPoint's Zero Day Initiative
that an array class used to store CSS values contained an integer
overflow vulnerability. The 16 bit integer value used in allocating the
size of the array could overflow, resulting in too small a memory buffer
being created. When the array was later populated with CSS values data
would be written past the end of the buffer potentially resulting in
the execution of attacker-controlled memory.

CVE-2010-2753

Security researcher regenrecht reported via TippingPoint's Zero Day
Initiative an integer overflow vulnerability in the implementation
of the XUL <tree> element's selection attribute. When the size of a
new selection is sufficiently large the integer used in calculating
the length of the selection can overflow, resulting in a bogus range
being marked selected. When adjustSelection is then called on the
bogus range the range is deleted leaving dangling references to the
ranges which could be used by an attacker to call into deleted memory
and run arbitrary code on a victim's computer.

CVE-2010-1205

Buffer overflow in pngpread.c in libpng before 1.2.44 and 1.4.x before
1.4.3, as used in progressive applications, might allow remote attackers
to execute arbitrary code via a PNG image that triggers an additional
data row.

CVE-2010-1213

Security researcher Yosuke Hasegawa reported that the Web Worker
method importScripts can read and parse resources from other domains
even when the content is not valid JavaScript. This is a violation of
the same-origin policy and could be used by an attacker to steal
information from other sites.

CVE-2010-2751

Security researcher Jordi Chancel reported that the location bar could
be spoofed to look like a secure page when the current document was
served via plaintext. The vulnerability is triggered by a server by
first redirecting a request for a plaintext resource to another resource
behind a valid SSL/TLS certificate. A second request made to the original
plaintext resource which is responded to not with a redirect but with
JavaScript containing history.back() and history.forward() will result
in the plaintext resource being displayed with valid SSL/TLS badging in
the location bar.

CVE-2010-0654

Mozilla Firefox permits cross-origin loading of CSS stylesheets even
when the stylesheet download has an incorrect MIME type and the
stylesheet document is malformed, which allows remote HTTP servers to
obtain sensitive information via a crafted document.

CVE-2010-2754

Security researcher Soroush Dalili reported that potentially sensitive
URL parameters could be leaked across domains upon script errors when
the script filename and line number is included in the error message.

For the lenny-backports distribution the problems have been fixed in
version 1.9.1.11-1~bpo50+1.

For the squeeze and sid distributions the problems have been fixed in
version 1.9.1.11-1.

Upgrade instructions

If you don't use pinning (see [1]) you have to update the package
manually via "apt-get -t lenny-backports install <packagelist>" with
the packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions&gt;

We recommend to pin the backports repository to 200 so that new
versions of installed backports will be installed automatically.

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200