=========================================================== 
Ubuntu Security Notice USN-645-1         September 24, 2008
firefox, firefox-3.0, xulrunner-1.9 vulnerabilities
CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837,
CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061,
CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065,
CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:
  firefox                         2.0.0.17+0nobinonly-0ubuntu0.7.4

Ubuntu 7.10:
  firefox                         2.0.0.17+1nobinonly-0ubuntu0.7.10

Ubuntu 8.04 LTS:
  firefox-3.0                     3.0.2+build6+nobinonly-0ubuntu0.8.04.1
  xulrunner-1.9                   1.9.0.2+build6+nobinonly-0ubuntu0.8.04.1

After a standard system upgrade you need to restart Firefox and any
applications that use xulrunner, such as Epiphany, to effect the
necessary changes.

Details follow:

Justin Schuh, Tom Cross and Peter Williams discovered errors in the
Firefox URL parsing routines. If a user were tricked into opening a
crafted hyperlink, an attacker could overflow a stack buffer and
execute arbitrary code. (CVE-2008-0016)

It was discovered that the same-origin check in Firefox could be
bypassed. If a user were tricked into opening a malicious website,
an attacker may be able to execute JavaScript in the context of a
different website. (CVE-2008-3835)

Several problems were discovered in the JavaScript engine. This
could allow an attacker to execute scripts from page content with
chrome privileges. (CVE-2008-3836)

Paul Nickerson discovered Firefox did not properly process mouse
click events. If a user were tricked into opening a malicious web
page, an attacker could move the content window, which could
potentially be used to force a user to perform unintended drag and
drop operations. (CVE-2008-3837)

Several problems were discovered in the browser engine. This could
allow an attacker to execute code with chrome privileges.
(CVE-2008-4058, CVE-2008-4059, CVE-2008-4060)

Drew Yao, David Maciejak and other Mozilla developers found several
problems in the browser engine of Firefox. If a user were tricked
into opening a malicious web page, an attacker could cause a denial
of service or possibly execute arbitrary code with the privileges
of the user invoking the program. (CVE-2008-4061, CVE-2008-4062,
CVE-2008-4063, CVE-2008-4064)

Dave Reed discovered a flaw in the JavaScript parsing code when
processing certain BOM characters. An attacker could exploit this
to bypass script filters and perform cross-site scripting attacks.
(CVE-2008-4065)

Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
user were tricked into opening a malicious web page, an attacker
could bypass script filtering and perform cross-site scripting
attacks. (CVE-2008-4066)

Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,
CVE-2008-4068)

Billy Hoffman discovered a problem in the XBM decoder. If a user were
tricked into opening a malicious web page or XBM file, an attacker
may be able to cause a denial of service via application crash.
(CVE-2008-4069)


Updated packages for Ubuntu 7.04:

  Source archives:

          Size/MD5:   316696 fcc877d67c4c479221bbf3c4a3d7eb6d
          Size/MD5:     2330 b5027c93757b9fec8eda43ee3b93c227
          Size/MD5: 48478465 eb9ca16ce2bd6073cf9cdf1298388ede

  Architecture independent packages:

          Size/MD5:   243550 c27985a28b56d42f853f614b1329792f
          Size/MD5:    58896 6617ca36bca4b8f4039a0201548da883
          Size/MD5:    58992 330db0a6f2247bc95308f45849f6c347
          Size/MD5:    59004 de6dddee9f8f3b426f3f92486ec688f4
          Size/MD5:    59808 b5d3575dac4397435b35577ef2231ba2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5: 50656752 d2488df935ed957ca20001c22a8f1469
          Size/MD5:  3187514 c45d3640b7025bdef4d3c39026bdff82
          Size/MD5:    92716 1f790aab7403f845f3aaa10c11aa2992
          Size/MD5:    62694 373bb2cb44d77d351269f434746fbb54
          Size/MD5: 10492802 4655557e86f8bc9716cb756aeca743b7
          Size/MD5:   228868 29d5b7b2a4b164aac6381e6561bd6144
          Size/MD5:   174386 7a13e0a9fa9df9f66f88f70cea8ebc06
          Size/MD5:   254952 55e0c0afef21b363fe31c744af4c6d77
          Size/MD5:   888180 7f8ddc7f096215b1bcaaee5858e0cb88

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5: 49801022 e5c279cc182430cfdf2836d77ead95cb
          Size/MD5:  3178474 7859e4225dc2f28e83348d596886ff24
          Size/MD5:    86924 683cc43035d1b4b7134cd1052533022b
          Size/MD5:    62104 274e4ea11b4c5d43b3a384d15c385c14
          Size/MD5:  9299290 ee50c9f1a78b743ddeb8f71a27694ad9
          Size/MD5:   228866 3e6fd628f22993e9f3f56addc20e16fd
          Size/MD5:   163308 7628c8cb150ed486314ffc6be890cda8
          Size/MD5:   254940 6b6498be6365b35e4676feecef534869
          Size/MD5:   809598 10670c735ac61b6efe20328cc5d0f54c

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5: 52311700 0a4d76530c48760bddb2c59938afe2bd
          Size/MD5:  3190192 0ca1ef99a5f80a6ac3b1527c33325cab
          Size/MD5:    90750 746fc3ece73fdf71441b4c2269ed17d5
          Size/MD5:    62938 32be863293c321907d8ed6a346d55804
          Size/MD5: 10371522 f75e280227e1d7428e16f2209fa78a03
          Size/MD5:   228868 bf24f6487d8314fed24f82cfc665ea06
          Size/MD5:   180030 45218a08229d942aea27cc8719e80ed7
          Size/MD5:   254946 4c212146f6d85ceac1fbaad9129d3fc5
          Size/MD5:   896060 d66825d900f03fa5093b5c29301ace14

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5: 49836692 25a24ef04fbeb43dfb5f7203fb94de7d
          Size/MD5:  3177280 a52529905aeed8b38a35e825b646b159
          Size/MD5:    86616 efc4edb7c610d01da6dd4e7f13f4424a
          Size/MD5:    62162 319793e8f7bd0f29befe99b383c91275
          Size/MD5:  9575550 407b513437f0c3a16fbfa838a55c89c5
          Size/MD5:   228864 2068b5134cc8c24a769fa3984fd36547
          Size/MD5:   162098 ad7dfb30f2a7bce32c38c6522408af6e
          Size/MD5:   254964 68df04f7a07a59cf2e52f7dadf30dd90
          Size/MD5:   801430 7a664cecf34231cba2f4a307e7b4d78f

Updated packages for Ubuntu 7.10:

  Source archives:

          Size/MD5:   193456 41e5fd9a5b264d59a7a19c4652135fa2
          Size/MD5:     2297 241e87103d61cf94617968e58eae5e49
          Size/MD5: 37705770 d50c621116c9c6446ae8cc44b50e4422

  Architecture independent packages:

          Size/MD5:   200850 dd0a6864ed156408ad302ae826014651

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5: 78081002 406b5786d9a9d596bbb5a239f9521838
          Size/MD5:  3198548 6467de3e926c81469d7b8a8663e30de4
          Size/MD5:    98188 bd03eb6af24cd4742bcf7e9d3259b5e3
          Size/MD5:    67214 f940933f974226a0b368e0b186195877
          Size/MD5: 10466910 1c6763f8560faa2db02dc5541334d2eb

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5: 77223978 0fec264e30c0a1cea0bec1b574a741f1
          Size/MD5:  3186190 10869a4be34712ef088fd82bb24666a2
          Size/MD5:    91912 a45101ff4b6e34c0641a787b9e55e568
          Size/MD5:    66500 c17d657e5a5ed8646dcabc5483884336
          Size/MD5:  9206920 e9d44cb1e42ffdad0627eb4e955b444c

  lpia architecture (Low Power Intel Architecture):

          Size/MD5: 77504940 f75594b281a77f3446cde6d443336610
          Size/MD5:  3183726 8072b22b2a997f7bb9ebde38879f7a75
          Size/MD5:    91558 3a4e9336d0c1320fff0f3455f8626b94
          Size/MD5:    66442 8f479619754f754d344ce2f06cadbaa1
          Size/MD5:  9067072 a8aea6c6ebf0f054abfdd224f2aeda21

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5: 80698898 80bf457d9eff4ccdac1db166b4cb34f9
          Size/MD5:  3202070 f4141fb98b2fad1aa6cea594aaa0836e
          Size/MD5:    96238 1c58383b83012e2433e7e94d1fd692a4
          Size/MD5:    67488 3d364e7fe31efbaefe48e42e7eb149a1
          Size/MD5: 10309836 b8fc060b7717ca09f0c9b6032aaadc73

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5: 78054936 ed5eefdbe626ac14e0224364db000e74
          Size/MD5:  3183678 78beaf283c45887f46216cd72274f787
          Size/MD5:    91674 c873546b0c5cad2e214a3e7590dc8ac2
          Size/MD5:    66576 359f0c5d326f055c9d21f1351ae67087
          Size/MD5:  9459810 5fe3f16fd1b97e7a8d898c8408f650e2

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

          Size/MD5:   105830 9ae8a004b6fa51d3114802bc8584780d
          Size/MD5:     2760 4529b30c094bf6473eec8c024ac34b3a
          Size/MD5: 11112466 2bf9e7a2418a53e260395584269ac643
          Size/MD5:    77364 8d90a935a95e33ca9f0f92f22cf5d158
          Size/MD5:     2825 e15190772abc1a4fc6306c6f7623f3f1
          Size/MD5: 40166158 e590b88ee66aacb233093257bda8a2eb

  Architecture independent packages:

          Size/MD5:    65888 a8bc7c861990c009d28e02fb7efd5394
          Size/MD5:    65902 f8f6e739ff2ceb4203577a5c7256ea78
          Size/MD5:    65864 5a7a5b64525e0ccba057bf7cc9a1148a
          Size/MD5:    65848 d664468be273af4b7b067538e856230d
          Size/MD5:    66010 ec29e19ae579331ab17997626c619770
          Size/MD5:    65908 cd5935c267b2edda2af3eb23b505a4a8
          Size/MD5:    65864 a829a787c9d3dbe6b1d7b8c5076ccf31
          Size/MD5:     8972 4b005f351d7db19a6f07d4ce8bd2f83f
          Size/MD5:     8964 2fc7204ae1a55f83992ec65fca358cc5
          Size/MD5:    65880 aff38851229b6564a123cdd40e1d74d4
          Size/MD5:    65852 3248dc488e7526ee1cc88b19f416dca0
          Size/MD5:    65840 efb60d9b3349d86ae6b57d891af76a93
          Size/MD5:     8950 d0fc909c4ee2bb338b99b21b5e4ba53c
          Size/MD5:    65866 ce319c0dea59d4760238c63dbbbe18c8
          Size/MD5:     8948 ad5e7034b42387ed15c959ca748bcd51
          Size/MD5:    65834 d3d524575bc0c44fc476ec7c68c9b6be
          Size/MD5:   125096 d4bd8c925794510c99b8cedc33af9eee
          Size/MD5:   235232 5651fb9bc0673df5c36690f7e8b7de9e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:     9032 59650e2cf25d56905b9b4cedc32a9c75
          Size/MD5:    29602 6195cca830293f4f1a18385e2359745f
          Size/MD5:  1087296 f3b64a363301666c801d507ee6bef72a
          Size/MD5:  4035436 66b97ec71c0b6c83b4b37ed11b5bbf7c
          Size/MD5:    48658 74965d6808431e8bbbd9cbf1c6855cac
          Size/MD5:  9031564 989c0069101b9df7176a4f10976f5f02

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:     9034 bc80011d2f5681a685e310e0c444fbce
          Size/MD5:    25732 aa9b0318a5b14c27f8a9cb907b82f688
          Size/MD5:  1064980 f23fde08f7c01637f60471123dd10449
          Size/MD5:  4016990 94003a2b828f91e46ba5c6308ef271fd
          Size/MD5:    38514 4ca9181ccd85900bf20b56548e67be43
          Size/MD5:  7763702 c8fe4cf05fcd5f550318333577b4273c

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:     9034 29d06ea689d257a6082ab4e16dd7f590
          Size/MD5:    25348 5aa83572c22d30b7758ee424fa001003
          Size/MD5:  1063092 75dddb0dfdc299afc32636de65219025
          Size/MD5:  4012464 efcb2a9ea8c9d3a5781f53884357756e
          Size/MD5:    37608 e42348339291ad26d70e4124ee90bd4a
          Size/MD5:  7650762 b73f0cab903c38b84f42b546a201432c

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:     9034 195551cfc109865c6ca73c28aa775d76
          Size/MD5:    27502 be0223e544c4f81f8426c312a4381790
          Size/MD5:  1079124 b4cec8b1b8d19d20d6a88f02ec4cd38a
          Size/MD5:  4023470 8086afab2b04b9bc5f61c2920d3a931b
          Size/MD5:    43678 c4c5d38c50f1c477eb5cb752693ab827
          Size/MD5:  8609778 bfd2eb3346f2be06232ea368d1661d16

Ubuntu: Firefox and xulrunner vulnerabilities

September 24, 2008
Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines

Summary

Update Instructions

References

Severity
Ubuntu Security Notice USN-645-1 September 24, 2008

Package Information

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved