<<< Date Index >>>     <<< Thread Index >>>

[USN-296-1] firefox vulnerabilities



=========================================================== 
Ubuntu Security Notice USN-296-1              June 09, 2006
firefox vulnerabilities
CVE-2006-2775, CVE-2006-2776, CVE-2006-2777, CVE-2006-2778,
CVE-2006-2779, CVE-2006-2780, CVE-2006-2782, CVE-2006-2783,
CVE-2006-2784, CVE-2006-2785, CVE-2006-2786, CVE-2006-2787,
CVE-2006-2788
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  firefox                        1.5.dfsg+1.5.0.4-0ubuntu6.06

After a standard system upgrade you need to restart Firefox to effect
the necessary changes.

Please note that Firefox 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also
affected by these problems. Updates for these Ubuntu releases will be
delayed due to upstream dropping support for this Firefox version. We
strongly advise that you disable JavaScript to disable the attack
vectors for most vulnerabilities if you use one of these Ubuntu
versions.

Details follow:

Jonas Sicking discovered that under some circumstances persisted XUL
attributes are associated with the wrong URL. A malicious web site
could exploit this to execute arbitrary code with the privileges of
the user. (MFSA 2006-35, CVE-2006-2775)

Paul Nickerson discovered that content-defined setters on an object
prototype were getting called by privileged UI code. It was
demonstrated that this could be exploited to run arbitrary web script
with full user privileges (MFSA 2006-37, CVE-2006-2776). A similar
attack was discovered by moz_bug_r_a4 that leveraged SelectionObject
notifications that were called in privileged context. (MFSA 2006-43,
CVE-2006-2777)

Mikolaj Habryn discovered a buffer overflow in the crypto.signText()
function. By tricking a user to visit a site with an SSL certificate
with specially crafted optional Certificate Authority name
arguments, this could potentially be exploited to execute arbitrary
code with the user's privileges. (MFSA 2006-38, CVE-2006-2778)

The Mozilla developer team discovered several bugs that lead to
crashes with memory corruption. These might be exploitable by
malicious web sites to execute arbitrary code with the privileges of
the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780, CVE-2006-2788)

Chuck McAuley reported that the fix for CVE-2006-1729 (file stealing
by changing input type) was not sufficient to prevent all variants of
exploitation. (MFSA 2006-41, CVE-2006-2782)

Masatoshi Kimura found a way to bypass web input sanitizers which
filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)'
characters into the HTML code (e. g. '<scr[BOM]ipt>'), these filters
might not recognize the tags anymore; however, Firefox would still
execute them since BOM markers are filtered out before processing the
page. (MFSA 2006-42, CVE-2006-2783)

Paul Nickerson noticed that the fix for CVE-2005-0752 (JavaScript
privilege escalation on the plugins page) was not sufficient to
prevent all variants of exploitation. (MFSA 2006-36, CVE-2006-2784)

Paul Nickerson demonstrated that if an attacker could convince a user
to right-click on a broken image and choose "View Image" from the
context menu then he could get JavaScript to run on a site of the
attacker's choosing. This could be used to steal login cookies or
other confidential information from the target site. (MFSA 2006-34,
CVE-2006-2785)

Kazuho Oku discovered various ways to perform HTTP response smuggling
when used with certain proxy servers. Due to different interpretation
of nonstandard HTTP headers in Firefox and the proxy server, a
malicious web site can exploit this to send back two responses to one
request. The second response could be used to steal login cookies or
other sensitive data from another opened web site. (MFSA 2006-33,
CVE-2006-2786)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06.diff.gz
      Size/MD5:   167298 f47b780d96935c7ec982abf3d1cb23fa
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06.dsc
      Size/MD5:     1109 af86fe956f6cbe2d03bdac43920e8f67
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4.orig.tar.gz
      Size/MD5: 42942490 2ac9d43529710e49b06ad6c358716ea4

  Architecture independent packages:

    
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/mozilla-firefox-dev_1.5.dfsg+1.5.0.4-0ubuntu6.06_all.deb
      Size/MD5:    48814 29b5ce2c38dae8510506cbe2d10f9cd3
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/mozilla-firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06_all.deb
      Size/MD5:    49706 26c239c98e4ecd26f1b25cb3a9111b02

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5: 47215364 a69b194be686538156d4c0513dfb527b
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:  2795932 265477059f8e1e6ecc9fdf22ececa362
    
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:   215752 9927725795f7f49ecde3903c408912b3
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:    82014 e6b1d0bdc7f8ec61f4047d6a07664835
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:  9395266 b1dbbc159e3407381323e4ddfd82188f
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:   218436 389a755efbd959c55c6311d8d6decb0e
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:   161480 7a567a40560ea00f03ab279dfe591e05
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:   235386 66c1434f1c0c86c13948c8519000234e
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_amd64.deb
      Size/MD5:   757072 16b86b81d8815aa7dd0fe8da0680cc71

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5: 43799038 231446d3a93c66a92a5686d2011180fa
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:  2795898 58ce3a92e6bc32a1f277568a1aefb157
    
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:   209168 3d78487a1ec843de5c968daac5774a2c
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:    74348 a9da42db19117d43ae6eb40aa1bb5270
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:  7910938 226b0db56dfec4f84eb51fe23c35b8d3
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:   218436 c4ea086ae992aefacc940c9944897009
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:   146190 1a47ce6da183f2b4299525f38dc6b397
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:   235380 63465b4ffdd74bc86d7327b0a1fe2d7a
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_i386.deb
      Size/MD5:   669186 07308fb95fd53becb506ef179fa91666

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dbg_1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5: 48597138 374792224c05b7baf406ff88409b3b51
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-dev_1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:  2795908 1c1a036cc9bbeeaee4b9c629e2f27106
    
http://security.ubuntu.com/ubuntu/pool/universe/f/firefox/firefox-dom-inspector_1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:   212602 5223d8d37deca276a6a61fa1f39dfebf
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox-gnome-support_1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:    77522 b8d6a6d80f297397ad9e95dd2a19b0c1
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:  9011932 702eb283fa9cfb68cd682166ec42f1fc
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr-dev_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:   218436 08b7248b0dee668dcd2296538ed10ba7
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnspr4_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:   158722 2761f24a70c304680a47a100abf07029
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss-dev_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:   235396 983d844a1b9f56543c59b618f051cc7f
    
http://security.ubuntu.com/ubuntu/pool/main/f/firefox/libnss3_1.firefox1.5.dfsg+1.5.0.4-0ubuntu6.06_powerpc.deb
      Size/MD5:   767948 495c253eca9a842c913ff0299c57c632

Attachment: signature.asc
Description: Digital signature