libxul0d: vulnerable to CVE-2007-5339

Debian Bug report logs - #447734
libxul0d: vulnerable to CVE-2007-5339

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sam Morris <sam@robots.org.uk>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libxul0d: vulnerable to CVE-2007-5339

Date: Tue, 23 Oct 2007 14:16:45 +0100

Package: libxul0d
Version: 1.8.1.6-1
Severity: grave
Tags: security
Justification: user security hole

Although <http://security-tracker.debian.net/tracker/CVE-2007-5339>
states that no packages in unstable are vulnerable to this bug, I just
tested Epiphany against it at <http://bcheck.scanit.be/bcheck/> and it
managed to crash my browser.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (540, 'stable'), (520, 'testing'), (510, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-2-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)

Versions of packages libxul0d depends on:
ii  libatk1.0-0             1.20.0-1         The ATK accessibility toolkit
ii  libc6                   2.6.1-1+b1       GNU C Library: Shared libraries
ii  libcairo2               1.4.10-1         The Cairo 2D vector graphics libra
ii  libfontconfig1          2.4.2-1.2        generic font configuration library
ii  libfreetype6            2.3.5-1+b1       FreeType 2 font engine, shared lib
ii  libgcc1                 1:4.2.2-3        GCC support library
ii  libglib2.0-0            2.14.1-5         The GLib library of C routines
ii  libgtk2.0-0             2.12.1-1         The GTK+ graphical user interface 
ii  libhunspell-1.1-0       1.1.9-1          spell checker and morphological an
ii  libjpeg62               6b-13            The Independent JPEG Group's JPEG 
ii  libmozjs0d              1.8.1.6-1        The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d             4.6.7-1          NetScape Portable Runtime Library
ii  libnss3-0d              3.11.7-1         Network Security Service libraries
ii  libpango1.0-0           1.18.2-1         Layout and rendering of internatio
ii  libpng12-0              1.2.15~beta5-1   PNG library - runtime
ii  libstdc++6              4.2.2-3          The GNU Standard C++ Library v3
ii  libx11-6                2:1.0.3-7        X11 client-side library
ii  libxft2                 2.1.12-2         FreeType-based font drawing librar
ii  libxinerama1            1:1.0.2-1        X11 Xinerama extension library
ii  libxrender1             1:0.9.4-1        X Rendering Extension client libra
ii  libxt6                  1:1.0.2-2        X11 toolkit intrinsics library
ii  libxul-common           1.8.1.6-1        Gecko engine library - common file
ii  zlib1g                  1:1.2.3.3.dfsg-6 compression library - runtime

libxul0d recommends no packages.

-- no debconf information

Message #10 received at 447734@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>

To: 447734@bugs.debian.org

Cc: control@bugs.debian.org, 442201@bugs.debian.org

Subject: security issues in xulrunner

Date: Wed, 31 Oct 2007 18:09:48 +0100

found 447734 1.8.0.11-2
found 442201 1.8.0.11-2
thanks

there is no reason to assume that these bugs are not also in older 
versions

Message #23 received at 447734-close@bugs.debian.org (full text, mbox, reply):

From: Mike Hommey <glandium@debian.org>

To: 447734-close@bugs.debian.org

Subject: Bug#447734: fixed in xulrunner 1.8.1.9-1

Date: Thu, 01 Nov 2007 15:48:23 +0000

Source: xulrunner
Source-Version: 1.8.1.9-1

We believe that the bug you reported is fixed in the latest version of
xulrunner, which is due to be installed in the Debian FTP archive:

libmozillainterfaces-java_1.8.1.9-1_all.deb
  to pool/main/x/xulrunner/libmozillainterfaces-java_1.8.1.9-1_all.deb
libmozjs-dev_1.8.1.9-1_all.deb
  to pool/main/x/xulrunner/libmozjs-dev_1.8.1.9-1_all.deb
libmozjs0d-dbg_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/libmozjs0d-dbg_1.8.1.9-1_i386.deb
libmozjs0d_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/libmozjs0d_1.8.1.9-1_i386.deb
libxul-common_1.8.1.9-1_all.deb
  to pool/main/x/xulrunner/libxul-common_1.8.1.9-1_all.deb
libxul-dev_1.8.1.9-1_all.deb
  to pool/main/x/xulrunner/libxul-dev_1.8.1.9-1_all.deb
libxul0d-dbg_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/libxul0d-dbg_1.8.1.9-1_i386.deb
libxul0d_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/libxul0d_1.8.1.9-1_i386.deb
python-xpcom_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/python-xpcom_1.8.1.9-1_i386.deb
spidermonkey-bin_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/spidermonkey-bin_1.8.1.9-1_i386.deb
xulrunner-gnome-support_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/xulrunner-gnome-support_1.8.1.9-1_i386.deb
xulrunner_1.8.1.9-1.diff.gz
  to pool/main/x/xulrunner/xulrunner_1.8.1.9-1.diff.gz
xulrunner_1.8.1.9-1.dsc
  to pool/main/x/xulrunner/xulrunner_1.8.1.9-1.dsc
xulrunner_1.8.1.9-1_i386.deb
  to pool/main/x/xulrunner/xulrunner_1.8.1.9-1_i386.deb
xulrunner_1.8.1.9.orig.tar.gz
  to pool/main/x/xulrunner/xulrunner_1.8.1.9.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 447734@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated xulrunner package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 01 Nov 2007 12:52:17 +0100
Source: xulrunner
Binary: libmozjs0d-dbg xulrunner-gnome-support libmozjs0d libxul0d-dbg libmozjs-dev python-xpcom xulrunner libxul-common libmozillainterfaces-java spidermonkey-bin libxul-dev libxul0d
Architecture: source i386 all
Version: 1.8.1.9-1
Distribution: unstable
Urgency: low
Maintainer: Mike Hommey <glandium@debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libmozillainterfaces-java - XPCOM bindings for Java
 libmozjs-dev - Development files for the Mozilla SpiderMonkey JavaScript library
 libmozjs0d - The Mozilla SpiderMonkey JavaScript library
 libmozjs0d-dbg - Development files for the Mozilla SpiderMonkey JavaScript library
 libxul-common - Gecko engine library - common files
 libxul-dev - Development files for the Gecko engine library
 libxul0d   - Gecko engine library
 libxul0d-dbg - Development files for the Gecko engine library
 python-xpcom - XPCOM bindings for Python
 spidermonkey-bin - standalone JavaScript/ECMAScript (ECMA-262) interpreter
 xulrunner  - XUL + XPCOM application runner
 xulrunner-gnome-support - Support for Gnome in xulrunner applications
Closes: 431483 435689 441511 447734
Changes: 
 xulrunner (1.8.1.9-1) unstable; urgency=low
 .
   * New security/stability upstream release (taken from upstream CVS)
     + xpidl produces proper java file names. Closes: #435689.
   * Fixes mfsa-2007-29 to mfsa-2007-36, also known as CVE-2007-1095,
     CVE-2007-2292, CVE-2006-2894, CVE-2007-3511, CVE-2007-4841,
     CVE-2007-5334, CVE-2007-5337, CVE-2007-5338, CVE-2007-5339,
     CVE-2007-5340. Closes: #447734.
   * debian/remove.nonfree: Remove some more object files.
   * debian/control: Remove build dependency on ecj-bootstrap, as it doesn't
     exist anymore, and is not useful nowadays. Closes: #441511.
   * debian/patches/99_configure.dpatch: Updated.
   * debian/patches/35_python_2.5.dpatch: Fix FTBFS with python 2.5. Thanks
     Alexander Sack. Closes: #431483.
   * debian/patches/10_gdkpango_system_wrapper.dpatch: Create a system wrapper
     for gdkpango.h to avoid FTBFS because of default visibility.
   * debian/patches/00list: Updated accordingly.
Files: 
 3f0b5aa757a5ad32efe4fd7b6fb65f7e 1220 devel optional xulrunner_1.8.1.9-1.dsc
 b960c8616245ed56e0e42b3737ab6cb7 40295272 devel optional xulrunner_1.8.1.9.orig.tar.gz
 82ee44ac31f7a1933dd1f9610fa7cdf4 129124 devel optional xulrunner_1.8.1.9-1.diff.gz
 b24ae9684232a56b691fef32cf7565bb 190272 libdevel optional libmozjs-dev_1.8.1.9-1_all.deb
 e9b31ec42589b843ba72c4917af9ef54 1165518 libs optional libxul-common_1.8.1.9-1_all.deb
 372953db3278eb46960e6d98e254ae38 2794198 libdevel optional libxul-dev_1.8.1.9-1_all.deb
 6973462e58b948b8e902efb81951b714 1322966 libdevel extra libmozillainterfaces-java_1.8.1.9-1_all.deb
 e21b7c11f3a870370b1b555110dc7f6d 277132 devel optional xulrunner_1.8.1.9-1_i386.deb
 2b85e8d8917dd85ee6e1513612fd0703 64330 devel optional xulrunner-gnome-support_1.8.1.9-1_i386.deb
 1ec83feff87b1eaf89b82a3dc694fcdd 360672 libs optional libmozjs0d_1.8.1.9-1_i386.deb
 3af5412221e859e5f8c4e548d96c6c80 808392 libdevel extra libmozjs0d-dbg_1.8.1.9-1_i386.deb
 97953682acb95f34fb388369913720f5 54044 interpreters optional spidermonkey-bin_1.8.1.9-1_i386.deb
 52601c312c863ee661813625ee264b04 5542474 libs optional libxul0d_1.8.1.9-1_i386.deb
 bada26872eeea7d0df9cb66bf2b1f7fc 46821288 libdevel extra libxul0d-dbg_1.8.1.9-1_i386.deb
 cfcdbaf4533d6af89f428060c35ce720 118568 python extra python-xpcom_1.8.1.9-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHKeMi3kvaLFT9KlgRAjn6AJ9ADEbSGnkl+fJyP/O8haxSmGcNQwCfXEp1
98oH6DWAsN0S5PoKSDcAt4g=
=aNT7
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.