xulrunner -- several vulnerabilities

2008-11-23T00:00:00
ID DSA-1669
Type debian
Reporter Debian
Modified 2008-11-23T00:00:00

Description

Several remote vulnerabilities have been discovered in Xulrunner, a runtime environment for XUL applications. The Common Vulnerabilities and Exposures project identifies the following problems:

Justin Schuh, Tom Cross and Peter Williams discovered a buffer overflow in the parser for UTF-8 URLs, which may lead to the execution of arbitrary code.

"moz_bug_r_a4" discovered that the same-origin check in nsXMLDocument::OnChannelRedirect() could by bypassed.

"moz_bug_r_a4" discovered that several vulnerabilities in feedWriter could lead to Chrome privilege escalation.

Paul Nickerson discovered that an attacker could move windows during a mouse click, resulting in unwanted action triggered by drag-and-drop.

"moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers.

"moz_bug_r_a4" discovered a vulnerability which can result in Chrome privilege escalation through XPCNativeWrappers.

Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege escalation vulnerability in XSLT handling.

Jesse Ruderman discovered a crash in the layout engine, which might allow the execution of arbitrary code.

Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour discovered crashes in the Javascript engine, which might allow the execution of arbitrary code.

Dave Reed discovered that some Unicode byte order marks are stripped from Javascript code before execution, which can result in code being executed, which were otherwise part of a quoted string.

Gareth Heyes discovered that some Unicode surrogate characters are ignored by the HTML parser.

Boris Zbarsky discovered that resource: URls allow directory traversal when using URL-encoded slashes.

Georgi Guninski discovered that resource: URLs could bypass local access restrictions.

Billy Hoffman discovered that the XBM decoder could reveal uninitialised memory.

Liu Die Yu discovered an information leak through local shortcut files.

Georgi Guninski, Michal Zalewski and Chris Evan discovered that the canvas element could be used to bypass same-origin restrictions.

It was discovered that insufficient checks in the Flash plugin glue code could lead to arbitrary code execution.

Jesse Ruderman discovered that a programming error in the window.proto.proto object could lead to arbitrary code execution.

It was discovered that crashes in the layout engine could lead to arbitrary code execution.

It was discovered that crashes in the Javascript engine could lead to arbitrary code execution.

Justin Schuh discovered that a buffer overflow in http-index-format parser could lead to arbitrary code execution.

It was discovered that a crash in the nsFrameManager might lead to the execution of arbitrary code.

"moz_bug_r_a4" discovered that the same-origin check in nsXMLHttpRequest::NotifyEventListeners() could be bypassed.

Collin Jackson discovered that the -moz-binding property bypasses security checks on codebase principals.

Chris Evans discovered that quote characters were improperly escaped in the default namespace of E4X documents.

For the stable distribution (etch), these problems have been fixed in version 1.8.0.15~pre080614h-0etch1. Packages for mips will be provided later.

For the upcoming stable distribution (lenny) and the unstable distribution (sid), these problems have been fixed in version 1.9.0.4-1.

We recommend that you upgrade your xulrunner packages.