USN-626-1: Firefox and xulrunner vulnerabilities

Submitted by chantra on Tue, 07/29/2008 - 00:29

Referenced CVEs: CVE-2008-2785, CVE-2008-2933, CVE-2008-2934Description: 
===========================================================
Ubuntu Security Notice USN-626-1 July 29, 2008
firefox-3.0, xulrunner-1.9 vulnerabilities
CVE-2008-2785, CVE-2008-2933, CVE-2008-2934
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 8.04 LTS:
firefox-3.0 3.0.1+build1+nobinonly-0ubuntu0.8.04.3
xulrunner-1.9 1.9.0.1+build1+nobinonly-0ubuntu0.8.04.3

After a standard system upgrade you need to restart Firefox and any
applications that use xulrunner, such as Epiphany, to effect the
necessary changes.

Details follow:

A flaw was discovered in the browser engine. A variable could be made to
overflow causing the browser to crash. If a user were tricked into opening
a malicious web page, an attacker could cause a denial of service or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2008-2785)

Billy Rios discovered that Firefox and xulrunner, as used by browsers
such as Epiphany, did not properly perform URI splitting with pipe
symbols when passed a command-line URI. If Firefox or xulrunner were
passed a malicious URL, an attacker may be able to execute local
content with chrome privileges. (CVE-2008-2933)

Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Newsvine
  • Furl
  • Facebook
  • Google
  • Yahoo
  • Technorati
  • Icerocket