Debian Bug report logs -
#447734
libxul0d: vulnerable to CVE-2007-5339
Reported by: Sam Morris <sam@robots.org.uk>
Date: Tue, 23 Oct 2007 13:18:01 UTC
Severity: grave
Tags: security
Found in versions xulrunner/1.8.1.6-1, xulrunner/1.8.0.11-2
Fixed in versions xulrunner/1.8.0.14~pre071019b-0lenny1, 1.8.0.14~pre071019b-0etch4, xulrunner/1.8.1.9-1
Done: Mike Hommey <glandium@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Mike Hommey <glandium@debian.org>
:
Bug#447734
; Package libxul0d
.
(full text, mbox, link).
Acknowledgement sent to Sam Morris <sam@robots.org.uk>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Mike Hommey <glandium@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libxul0d
Version: 1.8.1.6-1
Severity: grave
Tags: security
Justification: user security hole
Although <http://security-tracker.debian.net/tracker/CVE-2007-5339>
states that no packages in unstable are vulnerable to this bug, I just
tested Epiphany against it at <http://bcheck.scanit.be/bcheck/> and it
managed to crash my browser.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (540, 'stable'), (520, 'testing'), (510, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-2-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages libxul0d depends on:
ii libatk1.0-0 1.20.0-1 The ATK accessibility toolkit
ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries
ii libcairo2 1.4.10-1 The Cairo 2D vector graphics libra
ii libfontconfig1 2.4.2-1.2 generic font configuration library
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.2.2-3 GCC support library
ii libglib2.0-0 2.14.1-5 The GLib library of C routines
ii libgtk2.0-0 2.12.1-1 The GTK+ graphical user interface
ii libhunspell-1.1-0 1.1.9-1 spell checker and morphological an
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libmozjs0d 1.8.1.6-1 The Mozilla SpiderMonkey JavaScrip
ii libnspr4-0d 4.6.7-1 NetScape Portable Runtime Library
ii libnss3-0d 3.11.7-1 Network Security Service libraries
ii libpango1.0-0 1.18.2-1 Layout and rendering of internatio
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libstdc++6 4.2.2-3 The GNU Standard C++ Library v3
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxft2 2.1.12-2 FreeType-based font drawing librar
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library
ii libxrender1 1:0.9.4-1 X Rendering Extension client libra
ii libxt6 1:1.0.2-2 X11 toolkit intrinsics library
ii libxul-common 1.8.1.6-1 Gecko engine library - common file
ii zlib1g 1:1.2.3.3.dfsg-6 compression library - runtime
libxul0d recommends no packages.
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Mike Hommey <glandium@debian.org>
:
Bug#447734
; Package libxul0d
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
Extra info received and forwarded to list. Copy sent to Mike Hommey <glandium@debian.org>
.
(full text, mbox, link).
Message #10 received at 447734@bugs.debian.org (full text, mbox, reply):
found 447734 1.8.0.11-2
found 442201 1.8.0.11-2
thanks
there is no reason to assume that these bugs are not also in older
versions
Bug marked as found in version 1.8.0.11-2.
Request was from Stefan Fritsch <sf@sfritsch.de>
to control@bugs.debian.org
.
(Wed, 31 Oct 2007 17:12:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.8.0.14~pre071019b-0lenny1.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org
.
(Wed, 31 Oct 2007 17:42:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.8.0.14~pre071019b-0etch4.
Request was from Stefan Fritsch <sf@debian.org>
to control@bugs.debian.org
.
(Wed, 31 Oct 2007 17:42:06 GMT) (full text, mbox, link).
Tags added: pending
Request was from Mike Hommey <mh@glandium.org>
to control@bugs.debian.org
.
(Thu, 01 Nov 2007 09:33:10 GMT) (full text, mbox, link).
Reply sent to Mike Hommey <glandium@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Sam Morris <sam@robots.org.uk>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #23 received at 447734-close@bugs.debian.org (full text, mbox, reply):
Source: xulrunner
Source-Version: 1.8.1.9-1
We believe that the bug you reported is fixed in the latest version of
xulrunner, which is due to be installed in the Debian FTP archive:
libmozillainterfaces-java_1.8.1.9-1_all.deb
to pool/main/x/xulrunner/libmozillainterfaces-java_1.8.1.9-1_all.deb
libmozjs-dev_1.8.1.9-1_all.deb
to pool/main/x/xulrunner/libmozjs-dev_1.8.1.9-1_all.deb
libmozjs0d-dbg_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/libmozjs0d-dbg_1.8.1.9-1_i386.deb
libmozjs0d_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/libmozjs0d_1.8.1.9-1_i386.deb
libxul-common_1.8.1.9-1_all.deb
to pool/main/x/xulrunner/libxul-common_1.8.1.9-1_all.deb
libxul-dev_1.8.1.9-1_all.deb
to pool/main/x/xulrunner/libxul-dev_1.8.1.9-1_all.deb
libxul0d-dbg_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/libxul0d-dbg_1.8.1.9-1_i386.deb
libxul0d_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/libxul0d_1.8.1.9-1_i386.deb
python-xpcom_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/python-xpcom_1.8.1.9-1_i386.deb
spidermonkey-bin_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/spidermonkey-bin_1.8.1.9-1_i386.deb
xulrunner-gnome-support_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/xulrunner-gnome-support_1.8.1.9-1_i386.deb
xulrunner_1.8.1.9-1.diff.gz
to pool/main/x/xulrunner/xulrunner_1.8.1.9-1.diff.gz
xulrunner_1.8.1.9-1.dsc
to pool/main/x/xulrunner/xulrunner_1.8.1.9-1.dsc
xulrunner_1.8.1.9-1_i386.deb
to pool/main/x/xulrunner/xulrunner_1.8.1.9-1_i386.deb
xulrunner_1.8.1.9.orig.tar.gz
to pool/main/x/xulrunner/xulrunner_1.8.1.9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 447734@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated xulrunner package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 01 Nov 2007 12:52:17 +0100
Source: xulrunner
Binary: libmozjs0d-dbg xulrunner-gnome-support libmozjs0d libxul0d-dbg libmozjs-dev python-xpcom xulrunner libxul-common libmozillainterfaces-java spidermonkey-bin libxul-dev libxul0d
Architecture: source i386 all
Version: 1.8.1.9-1
Distribution: unstable
Urgency: low
Maintainer: Mike Hommey <glandium@debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description:
libmozillainterfaces-java - XPCOM bindings for Java
libmozjs-dev - Development files for the Mozilla SpiderMonkey JavaScript library
libmozjs0d - The Mozilla SpiderMonkey JavaScript library
libmozjs0d-dbg - Development files for the Mozilla SpiderMonkey JavaScript library
libxul-common - Gecko engine library - common files
libxul-dev - Development files for the Gecko engine library
libxul0d - Gecko engine library
libxul0d-dbg - Development files for the Gecko engine library
python-xpcom - XPCOM bindings for Python
spidermonkey-bin - standalone JavaScript/ECMAScript (ECMA-262) interpreter
xulrunner - XUL + XPCOM application runner
xulrunner-gnome-support - Support for Gnome in xulrunner applications
Closes: 431483 435689 441511 447734
Changes:
xulrunner (1.8.1.9-1) unstable; urgency=low
.
* New security/stability upstream release (taken from upstream CVS)
+ xpidl produces proper java file names. Closes: #435689.
* Fixes mfsa-2007-29 to mfsa-2007-36, also known as CVE-2007-1095,
CVE-2007-2292, CVE-2006-2894, CVE-2007-3511, CVE-2007-4841,
CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339,
CVE-2007-5340. Closes: #447734.
* debian/remove.nonfree: Remove some more object files.
* debian/control: Remove build dependency on ecj-bootstrap, as it doesn't
exist anymore, and is not useful nowadays. Closes: #441511.
* debian/patches/99_configure.dpatch: Updated.
* debian/patches/35_python_2.5.dpatch: Fix FTBFS with python 2.5. Thanks
Alexander Sack. Closes: #431483.
* debian/patches/10_gdkpango_system_wrapper.dpatch: Create a system wrapper
for gdkpango.h to avoid FTBFS because of default visibility.
* debian/patches/00list: Updated accordingly.
Files:
3f0b5aa757a5ad32efe4fd7b6fb65f7e 1220 devel optional xulrunner_1.8.1.9-1.dsc
b960c8616245ed56e0e42b3737ab6cb7 40295272 devel optional xulrunner_1.8.1.9.orig.tar.gz
82ee44ac31f7a1933dd1f9610fa7cdf4 129124 devel optional xulrunner_1.8.1.9-1.diff.gz
b24ae9684232a56b691fef32cf7565bb 190272 libdevel optional libmozjs-dev_1.8.1.9-1_all.deb
e9b31ec42589b843ba72c4917af9ef54 1165518 libs optional libxul-common_1.8.1.9-1_all.deb
372953db3278eb46960e6d98e254ae38 2794198 libdevel optional libxul-dev_1.8.1.9-1_all.deb
6973462e58b948b8e902efb81951b714 1322966 libdevel extra libmozillainterfaces-java_1.8.1.9-1_all.deb
e21b7c11f3a870370b1b555110dc7f6d 277132 devel optional xulrunner_1.8.1.9-1_i386.deb
2b85e8d8917dd85ee6e1513612fd0703 64330 devel optional xulrunner-gnome-support_1.8.1.9-1_i386.deb
1ec83feff87b1eaf89b82a3dc694fcdd 360672 libs optional libmozjs0d_1.8.1.9-1_i386.deb
3af5412221e859e5f8c4e548d96c6c80 808392 libdevel extra libmozjs0d-dbg_1.8.1.9-1_i386.deb
97953682acb95f34fb388369913720f5 54044 interpreters optional spidermonkey-bin_1.8.1.9-1_i386.deb
52601c312c863ee661813625ee264b04 5542474 libs optional libxul0d_1.8.1.9-1_i386.deb
bada26872eeea7d0df9cb66bf2b1f7fc 46821288 libdevel extra libxul0d-dbg_1.8.1.9-1_i386.deb
cfcdbaf4533d6af89f428060c35ce720 118568 python extra python-xpcom_1.8.1.9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHKeMi3kvaLFT9KlgRAjn6AJ9ADEbSGnkl+fJyP/O8haxSmGcNQwCfXEp1
98oH6DWAsN0S5PoKSDcAt4g=
=aNT7
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Thu, 28 Feb 2008 07:30:44 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:29:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.