GoogleOSV:DSA-2106-1xulrunner - several vulnerabilities
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Several remote vulnerabilities have been discovered in Xulrunner, a
runtime environment for XUL applications. The Common Vulnerabilities
and Exposures project identifies the following problems:
- CVE-2010-2760, CVE-2010-3167, CVE-2010-3168
Implementation errors in XUL processing allow the execution of arbitrary
code. - CVE-2010-2763
An implementation error in the XPCSafeJSObjectWrapper wrapper allows the
bypass of the same origin policy. - CVE-2010-2765
An integer overflow in frame handling allows the execution of arbitrary
code. - CVE-2010-2766
An implementation error in DOM handling allows the execution of arbitrary
code. - CVE-2010-2767
Incorrect pointer handling in the plugin code allow the execution of
arbitrary code. - CVE-2010-2768
Incorrect handling of an object tag may lead to the bypass of cross
site scripting filters. - CVE-2010-2769
Incorrect copy and paste handling could lead to cross site scripting. - CVE-2010-3169
Crashes in the layout engine may lead to the execution of arbitrary
code.
For the stable distribution (lenny), these problems have been fixed in
version 1.9.0.19-4.
For the unstable distribution (sid), these problems have been fixed in
version 3.5.12-1 of the iceweasel source package (which now builds the
xulrunner library binary packages).
For the experimental distribution, these problems have been fixed in
version 3.6.9-1 of the iceweasel source package (which now builds the
xulrunner library binary packages).
We recommend that you upgrade your xulrunner packages.
References
Related
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C