USN-271-1: Firefox vulnerabilities
Posted on: 04/19/2006 05:12 PM

A new Firefox vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-271-1 April 19, 2006
mozilla-firefox, firefox vulnerabilities
CVE-2005-4134, CVE-2006-0292, CVE-2006-0296, CVE-2006-0749,
CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730,
CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734,
CVE-2006-1735, CVE-2006-1736, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742,

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:


The problem can be corrected by upgrading the affected package to
version 1.0.8-0ubuntu4.10 (for Ubuntu 4.10), 1.0.8-0ubuntu5.04 (for
Ubuntu 5.04), or 1.0.8-0ubuntu5.10 (for Ubuntu 5.10). After a
standard system upgrade you need to restart Firefox to effect the
necessary changes.

Details follow:

Web pages with extremely long titles caused subsequent launches of
Firefox browser to hang for up to a few minutes, or caused Firefox to
crash on computers with insufficient memory. (CVE-2005-4134)

Igor Bukanov discovered that the JavaScript engine did not properly
declare some temporary variables. Under some rare circumstances, a
malicious website could exploit this to execute arbitrary code with
the privileges of the user. (CVE-2006-0292, CVE-2006-1742)

The function XULDocument.persist() did not sufficiently validate the
names of attributes. An attacker could exploit this to inject
arbitrary XML code into the file 'localstore.rdf', which is read and
evaluated at startup. This could include JavaScript commands that
would be run with the user's privileges. (CVE-2006-0296)

Due to a flaw in the HTML tag parser a specific sequence of HTML tags
caused memory corruption. A malicious web site could exploit this to
crash the browser or even execute arbitrary code with the user's
privileges. (CVE-2006-0749)

Georgi Guninski discovered that embedded XBL scripts of web sites
could escalate their (normally reduced) privileges to get full
privileges of the user if that page is viewed with "Print Preview".

The crypto.generateCRMFRequest() function had a flaw which could be
exploited to run arbitrary code with the user's privileges.

Claus J=F8rgensen and Jesse Ruderman discovered that a text input box
could be pre-filled with a filename and then turned into a file-upload
control with the contents intact. A malicious web site could exploit
this to read any local file the user has read privileges for.

An integer overflow was detected in the handling of the CSS property
"letter-spacing". A malicious web site could exploit this to run
arbitrary code with the user's privileges. (CVE-2006-1730)

The methods and .valueOf.apply() returned an object
whose privileges were not properly confined to those of the caller,
which made them vulnerable to cross-site scripting attacks. A
malicious web site could exploit this to modify the contents or steal
confidential data (such as passwords) from other opened web pages.
(CVE-2006-1731) The window.controllers array variable (CVE-2006-1732)
and event handlers (CVE-2006-1741) were vulnerable to a similar attack.=20

The privileged built-in XBL bindings were not fully protected from web
content and could be accessed by calling and
valueOf.apply() on a method of that binding. A malicious web site
could exploit this to run arbitrary JavaScript code with the user's
privileges. (CVE-2006-1733)

It was possible to use the method to access an internal
function object (the "clone parent"). A malicious web site could
exploit this to execute arbitrary JavaScript code with the user's
privileges. (CVE-2006-1734)

By calling the XBL.method.eval() method in a special way it was
possible to create JavaScript functions that would get compiled with
the wrong privileges. A malicious web site could exploit this to
execute arbitrary JavaScript code with the user's privileges.

Michael Krax discovered that by layering a transparent image link to
an executable on top of a visible (and presumably desirable) image a
malicious site could fool the user to right-click and choose "Save
image as..." from the context menu, which would download the
executable instead of the image. (CVE-2006-1736)

Several crashes have been fixed which could be triggered by web sites
and involve memory corruption. These could potentially be exploited to
execute arbitrary code with the user's privileges. (CVE-2006-1737,
CVE-2006-1738, CVE-2006-1739, CVE-2006-1790)

If the user has turned on the "Entering secure site" modal warning
dialog, it was possible to spoof the browser's secure-site indicators
(the lock icon and the gold URL field background) by first loading the
target secure site in a pop-up window, then changing its location to a
different site, which retained the displayed secure-browsing
indicators from the original site. (CVE-2006-1740)

Updated packages for Ubuntu 4.10:

Source archives:
Size/MD5: 235111 b2ebfed686a487adf1244307dfd266b9
Size/MD5: 987 c60705b0fd14c4ef6295d5ed001915d6
Size/MD5: 41545571 74feb5a7af741bc5e24f1a622ce698c8

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 148312 62c914a0e040677be53af936bb3a17ed
Size/MD5: 10677328 ad7cf73fd3f546291a959ddd5ffc96e9

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 143192 9e442b0a7c2f3cc9e456e6afea8d0c60
Size/MD5: 9850946 79d68b23803a61cb330b849b15068f54

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 141946 342abccbb3fa9cdd70495d7b8395eac2
Size/MD5: 9507830 0d44cda71daf7d14725daf34d6cfc175

Updated packages for Ubuntu 5.04:

Source archives:
Size/MD5: 804535 00b1fc4d98dfa001442144c8d7745572
Size/MD5: 1060 a3c93f7d8fa6ce8dcd91aa2151a5f005
Size/MD5: 41545571 74feb5a7af741bc5e24f1a622ce698c8

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 2633684 1ff190c377531df8542e3b02560d4536
Size/MD5: 158486 604e2a6d94958224debffabf5d03a702
Size/MD5: 57812 8fb2a4a30727c03d5aa8016fbd4d38e7
Size/MD5: 9771928 d438cbb1c473650c70f9b3b58e1b7613

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 2633766 92c92229157c7549ad186cdf0e0c8733
Size/MD5: 153396 9d6b58b4ae7a631e1799f3c4bbe55db8
Size/MD5: 54368 8dbd371b16cac675aa57ba815c97cdd1
Size/MD5: 8811088 2d2d0ff095a8e0f2bcc247cc8163faf4

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 2633816 7548fe24b857258efe6670286676175b
Size/MD5: 152158 14b412512616688e2dcb85e121a91c95
Size/MD5: 56994 c74044c7e7900c36ca55ac10f029a451
Size/MD5: 8467096 1dd31ba1f4e37e3c6e7897f406f12598

Updated packages for Ubuntu 5.10:

Source archives:
Size/MD5: 835820 3d772aa08cb9de34e762ba49a24c4284
Size/MD5: 994 fcf2db5ad6832da949ef1f71482bc8d9
Size/MD5: 41545571 74feb5a7af741bc5e24f1a622ce698c8

Architecture independent packages:
Size/MD5: 38558 bc004ea12dc5004b9f26778201e09f8d
Size/MD5: 38556 6227eefa4309c2ec1d3c54923e5abd0d

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 2634278 cff91adda22099360cf518da9b7ee186
Size/MD5: 160646 5c34e657817242b4a9efa7308f78c257
Size/MD5: 77490 6a9ad84be837686547ec8e49a4165e20
Size/MD5: 9922114 e5b0ec7267bd9f2c07be238f20773c58

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 2634250 b234de52409b3c358b75678e40399035
Size/MD5: 153868 bc273cbad73071f2fd6f077d31ee0ba3
Size/MD5: 69988 cbfb699307a6a8fb8b30de427329d77b
Size/MD5: 8469524 ade9477dd6a0de72e025dde686b1719e

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 2634298 5d7da09c807c39e7dfd5eb32b9944b85
Size/MD5: 153894 514e1da7d177b865db4ecb45ed8b07dc
Size/MD5: 75182 2cac974d914d112d13ff9611512f7a7d
Size/MD5: 8602522 fcc3cb9722c48441bb8218140b8720ea

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.2.2 (GNU/Linux)


Printed from Linux Compatible (