Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Ubuntu: Firefox and xulrunner vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Ubuntu Justin Schuh, Tom Cross and Peter Williams discovered errors in the Firefox URL parsing routines. If a user were tricked into opening a crafted hyperlink, an attacker could overflow a stack buffer and execute arbitrary code. (CVE-2008-0016)
Ubuntu Security Notice USN-645-1         September 24, 2008
firefox, firefox-3.0, xulrunner-1.9 vulnerabilities
CVE-2008-0016, CVE-2008-3835, CVE-2008-3836, CVE-2008-3837,
CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061,
CVE-2008-4062, CVE-2008-4063, CVE-2008-4064, CVE-2008-4065,
CVE-2008-4066, CVE-2008-4067, CVE-2008-4068, CVE-2008-4069

A security issue affects the following Ubuntu releases:

Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.04:

Ubuntu 7.10:

Ubuntu 8.04 LTS:
  firefox-3.0                     3.0.2+build6+nobinonly-0ubuntu0.8.04.1

After a standard system upgrade you need to restart Firefox and any
applications that use xulrunner, such as Epiphany, to effect the
necessary changes.

Details follow:

Justin Schuh, Tom Cross and Peter Williams discovered errors in the
Firefox URL parsing routines. If a user were tricked into opening a
crafted hyperlink, an attacker could overflow a stack buffer and
execute arbitrary code. (CVE-2008-0016)

It was discovered that the same-origin check in Firefox could be
bypassed. If a user were tricked into opening a malicious website,
an attacker may be able to execute JavaScript in the context of a
different website. (CVE-2008-3835)

Several problems were discovered in the JavaScript engine. This
could allow an attacker to execute scripts from page content with
chrome privileges. (CVE-2008-3836)

Paul Nickerson discovered Firefox did not properly process mouse
click events. If a user were tricked into opening a malicious web
page, an attacker could move the content window, which could
potentially be used to force a user to perform unintended drag and
drop operations. (CVE-2008-3837)

Several problems were discovered in the browser engine. This could
allow an attacker to execute code with chrome privileges.
(CVE-2008-4058, CVE-2008-4059, CVE-2008-4060)

Drew Yao, David Maciejak and other Mozilla developers found several
problems in the browser engine of Firefox. If a user were tricked
into opening a malicious web page, an attacker could cause a denial
of service or possibly execute arbitrary code with the privileges
of the user invoking the program. (CVE-2008-4061, CVE-2008-4062,
CVE-2008-4063, CVE-2008-4064)

Dave Reed discovered a flaw in the JavaScript parsing code when
processing certain BOM characters. An attacker could exploit this
to bypass script filters and perform cross-site scripting attacks.

Gareth Heyes discovered a flaw in the HTML parser of Firefox. If a
user were tricked into opening a malicious web page, an attacker
could bypass script filtering and perform cross-site scripting
attacks. (CVE-2008-4066)

Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,

Billy Hoffman discovered a problem in the XBM decoder. If a user were
tricked into opening a malicious web page or XBM file, an attacker
may be able to cause a denial of service via application crash.

Updated packages for Ubuntu 7.04:

  Source archives:
      Size/MD5:   316696 fcc877d67c4c479221bbf3c4a3d7eb6d
      Size/MD5:     2330 b5027c93757b9fec8eda43ee3b93c227
      Size/MD5: 48478465 eb9ca16ce2bd6073cf9cdf1298388ede

  Architecture independent packages:
      Size/MD5:   243550 c27985a28b56d42f853f614b1329792f
      Size/MD5:    58896 6617ca36bca4b8f4039a0201548da883
      Size/MD5:    58992 330db0a6f2247bc95308f45849f6c347
      Size/MD5:    59004 de6dddee9f8f3b426f3f92486ec688f4
      Size/MD5:    59808 b5d3575dac4397435b35577ef2231ba2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5: 50656752 d2488df935ed957ca20001c22a8f1469
      Size/MD5:  3187514 c45d3640b7025bdef4d3c39026bdff82
      Size/MD5:    92716 1f790aab7403f845f3aaa10c11aa2992
      Size/MD5:    62694 373bb2cb44d77d351269f434746fbb54
      Size/MD5: 10492802 4655557e86f8bc9716cb756aeca743b7
      Size/MD5:   228868 29d5b7b2a4b164aac6381e6561bd6144
      Size/MD5:   174386 7a13e0a9fa9df9f66f88f70cea8ebc06
      Size/MD5:   254952 55e0c0afef21b363fe31c744af4c6d77
      Size/MD5:   888180 7f8ddc7f096215b1bcaaee5858e0cb88

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5: 49801022 e5c279cc182430cfdf2836d77ead95cb
      Size/MD5:  3178474 7859e4225dc2f28e83348d596886ff24
      Size/MD5:    86924 683cc43035d1b4b7134cd1052533022b
      Size/MD5:    62104 274e4ea11b4c5d43b3a384d15c385c14
      Size/MD5:  9299290 ee50c9f1a78b743ddeb8f71a27694ad9
      Size/MD5:   228866 3e6fd628f22993e9f3f56addc20e16fd
      Size/MD5:   163308 7628c8cb150ed486314ffc6be890cda8
      Size/MD5:   254940 6b6498be6365b35e4676feecef534869
      Size/MD5:   809598 10670c735ac61b6efe20328cc5d0f54c

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5: 52311700 0a4d76530c48760bddb2c59938afe2bd
      Size/MD5:  3190192 0ca1ef99a5f80a6ac3b1527c33325cab
      Size/MD5:    90750 746fc3ece73fdf71441b4c2269ed17d5
      Size/MD5:    62938 32be863293c321907d8ed6a346d55804
      Size/MD5: 10371522 f75e280227e1d7428e16f2209fa78a03
      Size/MD5:   228868 bf24f6487d8314fed24f82cfc665ea06
      Size/MD5:   180030 45218a08229d942aea27cc8719e80ed7
      Size/MD5:   254946 4c212146f6d85ceac1fbaad9129d3fc5
      Size/MD5:   896060 d66825d900f03fa5093b5c29301ace14

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5: 49836692 25a24ef04fbeb43dfb5f7203fb94de7d
      Size/MD5:  3177280 a52529905aeed8b38a35e825b646b159
      Size/MD5:    86616 efc4edb7c610d01da6dd4e7f13f4424a
      Size/MD5:    62162 319793e8f7bd0f29befe99b383c91275
      Size/MD5:  9575550 407b513437f0c3a16fbfa838a55c89c5
      Size/MD5:   228864 2068b5134cc8c24a769fa3984fd36547
      Size/MD5:   162098 ad7dfb30f2a7bce32c38c6522408af6e
      Size/MD5:   254964 68df04f7a07a59cf2e52f7dadf30dd90
      Size/MD5:   801430 7a664cecf34231cba2f4a307e7b4d78f

Updated packages for Ubuntu 7.10:

  Source archives:
      Size/MD5:   193456 41e5fd9a5b264d59a7a19c4652135fa2
      Size/MD5:     2297 241e87103d61cf94617968e58eae5e49
      Size/MD5: 37705770 d50c621116c9c6446ae8cc44b50e4422

  Architecture independent packages:
      Size/MD5:   200850 dd0a6864ed156408ad302ae826014651

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5: 78081002 406b5786d9a9d596bbb5a239f9521838
      Size/MD5:  3198548 6467de3e926c81469d7b8a8663e30de4
      Size/MD5:    98188 bd03eb6af24cd4742bcf7e9d3259b5e3
      Size/MD5:    67214 f940933f974226a0b368e0b186195877
      Size/MD5: 10466910 1c6763f8560faa2db02dc5541334d2eb

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5: 77223978 0fec264e30c0a1cea0bec1b574a741f1
      Size/MD5:  3186190 10869a4be34712ef088fd82bb24666a2
      Size/MD5:    91912 a45101ff4b6e34c0641a787b9e55e568
      Size/MD5:    66500 c17d657e5a5ed8646dcabc5483884336
      Size/MD5:  9206920 e9d44cb1e42ffdad0627eb4e955b444c

  lpia architecture (Low Power Intel Architecture):
      Size/MD5: 77504940 f75594b281a77f3446cde6d443336610
      Size/MD5:  3183726 8072b22b2a997f7bb9ebde38879f7a75
      Size/MD5:    91558 3a4e9336d0c1320fff0f3455f8626b94
      Size/MD5:    66442 8f479619754f754d344ce2f06cadbaa1
      Size/MD5:  9067072 a8aea6c6ebf0f054abfdd224f2aeda21

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5: 80698898 80bf457d9eff4ccdac1db166b4cb34f9
      Size/MD5:  3202070 f4141fb98b2fad1aa6cea594aaa0836e
      Size/MD5:    96238 1c58383b83012e2433e7e94d1fd692a4
      Size/MD5:    67488 3d364e7fe31efbaefe48e42e7eb149a1
      Size/MD5: 10309836 b8fc060b7717ca09f0c9b6032aaadc73

  sparc architecture (Sun SPARC/UltraSPARC):
      Size/MD5: 78054936 ed5eefdbe626ac14e0224364db000e74
      Size/MD5:  3183678 78beaf283c45887f46216cd72274f787
      Size/MD5:    91674 c873546b0c5cad2e214a3e7590dc8ac2
      Size/MD5:    66576 359f0c5d326f055c9d21f1351ae67087
      Size/MD5:  9459810 5fe3f16fd1b97e7a8d898c8408f650e2

Updated packages for Ubuntu 8.04 LTS:

  Source archives:
      Size/MD5:   105830 9ae8a004b6fa51d3114802bc8584780d
      Size/MD5:     2760 4529b30c094bf6473eec8c024ac34b3a
      Size/MD5: 11112466 2bf9e7a2418a53e260395584269ac643
      Size/MD5:    77364 8d90a935a95e33ca9f0f92f22cf5d158
      Size/MD5:     2825 e15190772abc1a4fc6306c6f7623f3f1
      Size/MD5: 40166158 e590b88ee66aacb233093257bda8a2eb

  Architecture independent packages:
      Size/MD5:    65888 a8bc7c861990c009d28e02fb7efd5394
      Size/MD5:    65902 f8f6e739ff2ceb4203577a5c7256ea78
      Size/MD5:    65864 5a7a5b64525e0ccba057bf7cc9a1148a
      Size/MD5:    65848 d664468be273af4b7b067538e856230d
      Size/MD5:    66010 ec29e19ae579331ab17997626c619770
      Size/MD5:    65908 cd5935c267b2edda2af3eb23b505a4a8
      Size/MD5:    65864 a829a787c9d3dbe6b1d7b8c5076ccf31
      Size/MD5:     8972 4b005f351d7db19a6f07d4ce8bd2f83f
      Size/MD5:     8964 2fc7204ae1a55f83992ec65fca358cc5
      Size/MD5:    65880 aff38851229b6564a123cdd40e1d74d4
      Size/MD5:    65852 3248dc488e7526ee1cc88b19f416dca0
      Size/MD5:    65840 efb60d9b3349d86ae6b57d891af76a93
      Size/MD5:     8950 d0fc909c4ee2bb338b99b21b5e4ba53c
      Size/MD5:    65866 ce319c0dea59d4760238c63dbbbe18c8
      Size/MD5:     8948 ad5e7034b42387ed15c959ca748bcd51
      Size/MD5:    65834 d3d524575bc0c44fc476ec7c68c9b6be
      Size/MD5:   125096 d4bd8c925794510c99b8cedc33af9eee
      Size/MD5:   235232 5651fb9bc0673df5c36690f7e8b7de9e

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):
      Size/MD5:     9032 59650e2cf25d56905b9b4cedc32a9c75
      Size/MD5:    29602 6195cca830293f4f1a18385e2359745f
      Size/MD5:  1087296 f3b64a363301666c801d507ee6bef72a
      Size/MD5:  4035436 66b97ec71c0b6c83b4b37ed11b5bbf7c
      Size/MD5:    48658 74965d6808431e8bbbd9cbf1c6855cac
      Size/MD5:  9031564 989c0069101b9df7176a4f10976f5f02

  i386 architecture (x86 compatible Intel/AMD):
      Size/MD5:     9034 bc80011d2f5681a685e310e0c444fbce
      Size/MD5:    25732 aa9b0318a5b14c27f8a9cb907b82f688
      Size/MD5:  1064980 f23fde08f7c01637f60471123dd10449
      Size/MD5:  4016990 94003a2b828f91e46ba5c6308ef271fd
      Size/MD5:    38514 4ca9181ccd85900bf20b56548e67be43
      Size/MD5:  7763702 c8fe4cf05fcd5f550318333577b4273c

  lpia architecture (Low Power Intel Architecture):
      Size/MD5:     9034 29d06ea689d257a6082ab4e16dd7f590
      Size/MD5:    25348 5aa83572c22d30b7758ee424fa001003
      Size/MD5:  1063092 75dddb0dfdc299afc32636de65219025
      Size/MD5:  4012464 efcb2a9ea8c9d3a5781f53884357756e
      Size/MD5:    37608 e42348339291ad26d70e4124ee90bd4a
      Size/MD5:  7650762 b73f0cab903c38b84f42b546a201432c

  powerpc architecture (Apple Macintosh G3/G4/G5):
      Size/MD5:     9034 195551cfc109865c6ca73c28aa775d76
      Size/MD5:    27502 be0223e544c4f81f8426c312a4381790
      Size/MD5:  1079124 b4cec8b1b8d19d20d6a88f02ec4cd38a
      Size/MD5:  4023470 8086afab2b04b9bc5f61c2920d3a931b
      Size/MD5:    43678 c4c5d38c50f1c477eb5cb752693ab827
      Size/MD5:  8609778 bfd2eb3346f2be06232ea368d1661d16

< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.