Lucene search

K
osvGoogleOSV:DSA-1922-1
HistoryOct 28, 2009 - 12:00 a.m.

xulrunner - several vulnerabilities

2009-10-2800:00:00
Google
osv.dev
31

EPSS

0.89

Percentile

98.8%

Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications, such as the Iceweasel web
browser. The Common Vulnerabilities and Exposures project identifies
the following problems:

  • CVE-2009-3380
    Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers, Daniel
    Banchero, David Keeler and Boris Zbarsky reported crashes in
    layout engine, which might allow the execution of arbitrary code.
  • CVE-2009-3382
    Carsten Book reported a crash in the layout engine, which might
    allow the execution of arbitrary code.
  • CVE-2009-3376
    Jesse Ruderman and Sid Stamm discovered spoofing vulnerability
    in the file download dialog.
  • CVE-2009-3375
    Gregory Fleischer discovered a bypass of the same-origin policy
    using the document.getSelection() function.
  • CVE-2009-3374
    “moz_bug_r_a4” discovered a privilege escalation to Chrome status
    in the XPCOM utility XPCVariant::VariantDataToJS.
  • CVE-2009-3373
    “regenrecht” discovered a buffer overflow in the GIF parser, which
    might lead to the execution of arbitrary code.
  • CVE-2009-3372
    Marco C. discovered that a programming error in the proxy auto
    configuration code might lead to denial of service or the
    execution of arbitrary code.
  • CVE-2009-3274
    Jeremy Brown discovered that the filename of a downloaded file
    which is opened by the user is predictable, which might lead to
    tricking the user into a malicious file if the attacker has local
    access to the system.
  • CVE-2009-3370
    Paul Stone discovered that history information from web forms
    could be stolen.

For the stable distribution (lenny), these problems have been fixed
in version 1.9.0.15-0lenny1.

As indicated in the Etch
release notes
, security support for the Mozilla products in the oldstable
distribution needed to be stopped before the end of the regular Etch security
maintenance life cycle. You are strongly encouraged to upgrade to stable or
switch to a still supported browser.

For the unstable distribution (sid), these problems have been fixed in
version 1.9.1.4-1.

We recommend that you upgrade your xulrunner packages.