xulrunner - several vulnerabilities

2009-09-1400:00:00

Google

osv.dev

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.906 High

EPSS

Percentile

98.4%

JSON

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:

CVE-2009-3070
Jesse Ruderman discovered crashes in the layout engine, which
might allow the execution of arbitrary code.
CVE-2009-3071
Daniel Holbert, Jesse Ruderman, Olli Pettay and “toshi” discovered
crashes in the layout engine, which might allow the execution of
arbitrary code.
CVE-2009-3072
Josh Soref, Jesse Ruderman and Martin Wargers discovered crashes
in the layout engine, which might allow the execution of arbitrary
code.
CVE-2009-3074
Jesse Ruderman discovered a crash in the Javascript engine, which
might allow the execution of arbitrary code.
CVE-2009-3075
Carsten Book and “Taral” discovered crashes in the layout engine,
which might allow the execution of arbitrary code.
CVE-2009-3076
Jesse Ruderman discovered that the user interface for installing/
removing PCKS #11 securiy modules wasn’t informative enough, which
might allow social engineering attacks.
CVE-2009-3077
It was discovered that incorrect pointer handling in the XUL parser
could lead to the execution of arbitrary code.
CVE-2009-3078
Juan Pablo Lopez Yacubian discovered that incorrent rendering of
some Unicode font characters could lead to spoofing attacks on
the location bar.

For the stable distribution (lenny), these problems have been fixed
in version 1.9.0.14-0lenny1.

As indicated in the Etch release notes, security support for the
Mozilla products in the oldstable distribution needed to be stopped
before the end of the regular Etch security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.0.14-1.

For the experimental distribution, these problems have been fixed in
version 1.9.1.3-1.

We recommend that you upgrade your xulrunner package.

CPENameOperatorVersion
xulrunnereq1.9.0.10-1
xulrunnereq1.9.0.11-0lenny1
xulrunnereq1.9.0.11-1
xulrunnereq1.9.0.12-0lenny1
xulrunnereq1.9.0.12-1
xulrunnereq1.9.0.13-0lenny1
xulrunnereq1.9.0.13-1
xulrunnereq1.9.0.5-1
xulrunnereq1.9.0.6-1
xulrunnereq1.9.0.7-0lenny1

Name	Operator	Version
xulrunner	eq	1.9.0.10-1
xulrunner	eq	1.9.0.11-0lenny1
xulrunner	eq	1.9.0.11-1
xulrunner	eq	1.9.0.12-0lenny1
xulrunner	eq	1.9.0.12-1
xulrunner	eq	1.9.0.13-0lenny1
xulrunner	eq	1.9.0.13-1
xulrunner	eq	1.9.0.5-1
xulrunner	eq	1.9.0.6-1
xulrunner	eq	1.9.0.7-0lenny1