[SECURITY] [DSA 838-1] New mozilla-firefox packages fox multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SECURITY] [DSA 838-1] New mozilla-firefox packages fox multiple vulnerabilities
From: Michael Stone <mstone@xxxxxxxxxxxxxxxxxx>
Date: Mon, 03 Oct 2005 02:48:53 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mail-followup-to: bugtraq@xxxxxxxxxxxxxxxxx
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Old-return-path: <mstone@xxxxxxxxxxxxxxxxxx>
Priority: urgent
Reply-to: listadmin@xxxxxxxxxxxxxxxxx
Resent-cc: recipient list not shown: ;
Resent-date: Sun, 2 Oct 2005 19:48:54 -0500 (CDT)
Resent-from: list@xxxxxxxxxxxxxxxxx (Mailing List Manager)
Resent-message-id: <thl7FC.A.ICH.2_HQDB@murphy>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 838-1                     security@xxxxxxxxxx
http://www.debian.org/security/                              Michael Stone
October 2nd, 2005                       http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : mozilla-firefox
Vulnerability  : multiple
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 
                 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707

Multiple security vulnerabilities have been identified in the
mozilla-firefox web browser.  These vulnerabilities could allow an
attacker to execute code on the victim's machine via specially crafted
network resources.

CAN-2005-2701

        Heap overrun in XBM image processing

CAN-2005-2702

        Denial of service (crash) and possible execution of arbitrary
        code via Unicode sequences with "zero-width non-joiner"
        characters.

CAN-2005-2703

        XMLHttpRequest header spoofing

CAN-2005-2704

        Object spoofing using XBL <implements>

CAN-2005-2705

        JavaScript integer overflow

CAN-2005-2706

        Privilege escalation using about: scheme

CAN-2005-2707

        Chrome window spoofing allowing windows to be created without
        UI components such as a URL bar or status bar that could be
        used to carry out phishing attacks

For the stable distribution (sarge), these problems have been fixed in
version 1.0.4-2sarge5

For the unstable distribution (sid), these problems have been fixed in
version 1.0.7-1

We recommend that you upgrade your mozilla-firefox package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5.dsc
      Size/MD5 checksum:     1001 bf9cf2b7106335cccc2afb10f6386c57
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5.diff.gz
      Size/MD5 checksum:   332598 d3f81e09a762be3c51aa20655ada5d32
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4.orig.tar.gz
      Size/MD5 checksum: 40212297 8e4ba81ad02c7986446d4e54e978409d

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_alpha.deb
      Size/MD5 checksum: 11167102 e970a996296228bd2af2cb8006a86398
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_alpha.deb
      Size/MD5 checksum:   167592 d446479007005f2d27d079ccedf51d7d
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_alpha.deb
      Size/MD5 checksum:    59416 7bf500b4f181df6ab4aa6dc831a23338

  AMD64 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_amd64.deb
      Size/MD5 checksum:  9399402 d94263433669cae93749d3f0d378839c
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_amd64.deb
      Size/MD5 checksum:   162334 4ffdc291bacf5b604deeaf8d6efd96eb
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_amd64.deb
      Size/MD5 checksum:    57946 7d7472b0fb90ed789c4f84dbcdd14687

  ARM architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_arm.deb
      Size/MD5 checksum:  8217720 3e0ce81e8d78fbca6d38d6a7e90791f3
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_arm.deb
      Size/MD5 checksum:   153792 662f8f96e75cc109541bf141e79a2714
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_arm.deb
      Size/MD5 checksum:    53280 b3517ce11632b3adbf5970d8f4c35b8c

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_i386.deb
      Size/MD5 checksum:  8891730 795a6aa3ca33a5e328e863612ceb0ac3
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_i386.deb
      Size/MD5 checksum:   157566 5e5d92e6c30a1d677edcc2fd9beb1861
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_i386.deb
      Size/MD5 checksum:    54820 885991c2f4580f06f12ba1cc6ff456ac

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_ia64.deb
      Size/MD5 checksum: 11618922 f02ebe51045adc2008ebba0a7355f58c
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_ia64.deb
      Size/MD5 checksum:   167924 863962943669b737773e716bb45560b7
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_ia64.deb
      Size/MD5 checksum:    62602 01f5675efee57e112e1734306580e43b

  HP Precision architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_hppa.deb
      Size/MD5 checksum: 10267086 7fb5e359ae146c7306def5b0a7ba48b4
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_hppa.deb
      Size/MD5 checksum:   165300 cf86dfe338ca9bfde77a402690db15ae
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_hppa.deb
      Size/MD5 checksum:    58402 f98081adb227cf6a12dc267bbf9c7689

  Motorola 680x0 architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_m68k.deb
      Size/MD5 checksum:  8167708 d5d4eadda39add959235921126b5db4b
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_m68k.deb
      Size/MD5 checksum:   156434 01a518572787d1e5505eb393c4670cd9
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_m68k.deb
      Size/MD5 checksum:    54070 b50c79ee5b2b3fd61ccb3848ad201f29

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_mips.deb
      Size/MD5 checksum:  9922382 384196380da339cc6c381afd18c8d0e8
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_mips.deb
      Size/MD5 checksum:   155362 38e914d95e0b2d38b2d34f09988218c9
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_mips.deb
      Size/MD5 checksum:    55078 343647c905cf9792d53eb67b4e11df02

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_mipsel.deb
      Size/MD5 checksum:  9804868 cfe93fb808ecfc8e9a2bf359af772069
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_mipsel.deb
      Size/MD5 checksum:   154892 9321e20f831ad309fc214c8130223103
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_mipsel.deb
      Size/MD5 checksum:    54904 74a6c0efaa41729a646d5f5762ab637d

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_powerpc.deb
      Size/MD5 checksum:  8563444 7c373a381a8ba34307e59f2cd47fcc43
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_powerpc.deb
      Size/MD5 checksum:   155948 a764030b0841e225c5a89e6366bb88e5
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_powerpc.deb
      Size/MD5 checksum:    57186 39cb6349c6ef1bc0e9e62365e7beeebf

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox_1.0.4-2sarge5_sparc.deb
      Size/MD5 checksum:  8652776 fa0fdecf5fb5ed186ade4d987b8920cb
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-dom-inspector_1.0.4-2sarge5_sparc.deb
      Size/MD5 checksum:   156204 84483f5fa63c2da5f6e8de90f462edbe
    
http://security.debian.org/pool/updates/main/m/mozilla-firefox/mozilla-firefox-gnome-support_1.0.4-2sarge5_sparc.deb
      Size/MD5 checksum:    53640 d43b2dbd4fd362e7fd01b4985c0ff3d0


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQCVAwUBQ0B/SQ0hVr09l8FJAQKuhQQAtjPqNBTYguuEoO2AKri4WfJ+1qUm9mSt
2qJL4GRoq6CmZdORGJayc2SUOCFXJYxCS4G+glApKa/xs2RA8zXAIxgvsYK45DdM
Uo9ncHrpWBSmFHutETL93kNC/f3YYXAa0j40xM+LmihGmpRH4lmKRCEgPrLqX+YK
RHssSAE1dXc=
=keWv
-----END PGP SIGNATURE-----

Prev by Date: [SECURITY] [DSA 837-1] New Mozilla Firefox packages fix denial of service
Next by Date: RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
Previous by thread: [SECURITY] [DSA 837-1] New Mozilla Firefox packages fix denial of service
Next by thread: RE: Careless Law Enforcement Computer Forensics Lacking InfoSec Expertise Causes Suicides
Index(es):
- Date
- Thread