MiracleLinux 3 : xulrunner-1.9.0.10-1.1AXS3 (AXSA:2009-348:01)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2009-348:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(284144);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/12");

  script_cve_id(
    "CVE-2009-0771",
    "CVE-2009-0772",
    "CVE-2009-0773",
    "CVE-2009-0774",
    "CVE-2009-0775",
    "CVE-2009-0776",
    "CVE-2009-0777",
    "CVE-2009-1044",
    "CVE-2009-1169",
    "CVE-2009-1302",
    "CVE-2009-1303",
    "CVE-2009-1304",
    "CVE-2009-1305",
    "CVE-2009-1306",
    "CVE-2009-1307",
    "CVE-2009-1308",
    "CVE-2009-1309",
    "CVE-2009-1310",
    "CVE-2009-1311",
    "CVE-2009-1312"
  );

  script_name(english:"MiracleLinux 3 : xulrunner-1.9.0.10-1.1AXS3 (AXSA:2009-348:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 3 host has a package installed that is affected by multiple vulnerabilities as referenced in the
AXSA:2009-348:01 advisory.

    XULRunner provides the XUL Runtime environment for Gecko applications.
    Fixed bugs:
    CVE-2009-0771
    The layout engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15
    allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via
    certain vectors that trigger memory corruption and assertion failures.
    CVE-2009-0772
    The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey
    1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code
    via vectors related to nsCSSStyleSheet::GetOwnerNode, events, and garbage collection, which triggers
    memory corruption.
    CVE-2009-0773
    The JavaScript engine in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey 1.1.15
    allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) a
    splice of an array that contains some non-set elements, which causes jsarray.cpp to pass an incorrect
    argument to the ResizeSlots function, which triggers memory corruption; (2) vectors related to
    js_DecompileValueGenerator, jsopcode.cpp, __defineSetter__, and watch, which triggers an assertion failure
    or a segmentation fault; and (3) vectors related to gczeal, __defineSetter__, and watch, which triggers a
    hang.
    CVE-2009-0774
    The layout engine in Mozilla Firefox 2 and 3 before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey
    1.1.15 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code
    via vectors related to gczeal, a different vulnerability than CVE-2009-0773.
    CVE-2009-0775
    Double free vulnerability in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey
    before 1.1.15 allows remote attackers to execute arbitrary code via cloned XUL DOM elements which were
    linked as a parent and child, which are not properly handled during garbage collection.
    CVE-2009-0776
    nsIRDFService in Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15
    allows remote attackers to bypass the same-origin policy and read XML data from another domain via a
    cross-domain redirect.
    CVE-2009-0777
    Mozilla Firefox before 3.0.7, Thunderbird before 2.0.0.21, and SeaMonkey before 1.1.15 decode invisible
    characters when they are displayed in the location bar, which causes an incorrect address to be displayed
    and makes it easier for remote attackers to spoof URLs and conduct phishing attacks.
    CVE-2009-1044
    Unspecified vulnerability in Mozilla Firefox 3.0.7 on Windows 7 allows remote
    attackers to execute arbitrary code via unknown vectors triggered by clicking
    on a link, as demonstrated by Nils during a PWN2OWN competition at CanSecWest
    2009.
    CVE-2009-1169
    The txMozillaXSLTProcessor::TransformToDoc function in Mozilla Firefox before 3.0.8 and SeaMonkey before
    1.1.16 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code
    via an XML file with a crafted XSLT transform.
    CVE-2009-1302
    The browser engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before
    1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger
    memory corruption via vectors related to (1) nsAsyncInstantiateEvent::Run, (2) nsStyleContext::Destroy,
    (3) nsComputedDOMStyle::GetWidth, (4) the xslt_attributeset_ImportSameName.html test case for the XSLT
    stylesheet compiler, (5) nsXULDocument::SynchronizeBroadcastListener, (6) IsBindingAncestor, (7)
    PL_DHashTableOperate and nsEditor::EndUpdateViewBatch, and (8) gfxSkipCharsIterator::SetOffsets, and other
    vectors.
    CVE-2009-1303
    The browser engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before
    1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger
    memory corruption via vectors related to nsSVGElement::BindToTree.
    CVE-2009-1304
    The JavaScript engine in Mozilla Firefox 3.x before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey
    before 1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly
    trigger memory corruption via vectors involving (1) js_FindPropertyHelper, related to the definitions of
    Math and Date; and (2) js_CheckRedeclaration.
    CVE-2009-1305
    The JavaScript engine in Mozilla Firefox before 3.0.9, Thunderbird before 2.0.0.22, and SeaMonkey before
    1.1.16 allows remote attackers to cause a denial of service (application crash) and possibly trigger
    memory corruption via vectors involving JSOP_DEFVAR and properties that lack the JSPROP_PERMANENT
    attribute.
    CVE-2009-1306
    The jar: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not follow
    the Content-Disposition header of the inner URI, which allows remote attackers to conduct cross-site
    scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a Content-Disposition:
    attachment designation.
    CVE-2009-1307
    The view-source: URI implementation in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey does not
    properly implement the Same Origin Policy, which allows remote attackers to (1) bypass crossdomain.xml
    restrictions and connect to arbitrary web sites via a Flash file; (2) read, create, or modify Local Shared
    Objects via a Flash file; or (3) bypass unspecified restrictions and render content via vectors involving
    a jar: URI.
    CVE-2009-1308
    Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey
    allows remote attackers to inject arbitrary web script or HTML via vectors involving XBL JavaScript
    bindings and remote stylesheets, as exploited in the wild by a March 2009 eBay listing.
    CVE-2009-1309
    Mozilla Firefox before 3.0.9, Thunderbird, and SeaMonkey do not properly implement the Same Origin Policy
    for (1) XMLHttpRequest, involving a mismatch for a document's principal, and (2)
    XPCNativeWrapper.toString, involving an incorrect __proto__ scope, which allows remote attackers to
    conduct cross-site scripting (XSS) attacks and possibly other attacks via a crafted document.
    CVE-2009-1310
    Cross-site scripting (XSS) vulnerability in the MozSearch plugin implementation in Mozilla Firefox before
    3.0.9 allows user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI
    in the SearchForm element.
    CVE-2009-1311
    Mozilla Firefox before 3.0.9 and SeaMonkey before 1.1.17 allow user-assisted remote attackers to obtain
    sensitive information via a web page with an embedded frame, which causes POST data from an outer page to
    be sent to the inner frame's URL during a SAVEMODE_FILEONLY save of the inner frame.
    CVE-2009-1312
    Mozilla Firefox before 3.0.9 and SeaMonkey do not block javascript: URIs in Refresh headers in HTTP
    responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related
    to (1) injecting a Refresh header or (2) specifying the content of a Refresh header. NOTE: it was later
    reported that Mozilla 1.7.x and earlier is also affected.
    CVE-2009-1313
    The nsTextFrame::ClearTextRun function in layout/generic/nsTextFrameThebes.cpp in Mozilla Firefox 3.0.9
    allows remote attackers to cause a denial of service (memory corruption) and probably execute arbitrary
    code via unspecified vectors. NOTE: this vulnerability reportedly exists because of an incorrect fix for
    CVE-2009-1302.

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/986");
  script_set_attribute(attribute:"solution", value:
"Update the affected xulrunner package.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2009-0775");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2009-1308");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/08/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:xulrunner");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:3");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 3.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'xulrunner-1.9.0.10-1.1AXS3', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'xulrunner');
}