[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14

The Mozilla- team is aware of these issues and will release the updated packages as soon as we can. Thank you for your bug report.

Fix for Firefox has been released.

Assigned to the team and marked as incomplete until its released in archives.

Here is a debdiff for xulrunner

..and the corresponding tarball (because of the +nobinonly clean-up)

It could me recreated using mozilla-devscripts:

make -f /usr/share/mozilla-devscripts/xulrunner-1.8.mk get-orig-source DEBIAN_TAG=FIREFOX_2_0_0_14_RELEASE=1.8.1.14

thunderbird (2.0.0.14+nobinonly-0ubuntu2) intrepid; urgency=low

  * fix "ftbfs with gcc 4.3 because of include of not shipped iostream.h"
    - add debian/patches/bz419350_attachment_306066.patch
    - update debian/patches/series

thunderbird (2.0.0.14+nobinonly-0ubuntu1) intrepid; urgency=low

  * 2.0.0.14 security/stability update (USN-605-1)
  * don't force gcc/g++ 4.2 as compiler anymore (4.3 is now in intrepid)
    and drop the versioned build-depends accordingly.
    - update debian/rules
    - update debian/control
  * drop patches applied upstream:
    - delete debian/patches/bz399589_fix_missing_symbol_with_new_nss.patch
    - update debian/patches/series

 -- Alexander Sack < <email address hidden>> Fri, 02 May 2008 15:19:13 +0200

and the corresponding diff.gz

we won't upgrade xulrunner for feisty.

err, i ment in gutsy.

firefox (1.5.dfsg+1.5.0.15~prepatch080417a-0ubuntu1) dapper-security; urgency=low

  * release backports for security issues disclosed in 2.0.0.14
    - see USN-602-1
  * patches on top of 1.8.0 branch cvs checkout (17 apr 08) are in
    patches/series

 -- Alexander Sack < <email address hidden>> Thu, 17 Apr 2008 12:18:04 +0200

firefox (2.0.0.14+1nobinonly-0ubuntu0.7.4) feisty-security; urgency=low

  [ Alexander Sack ]
  * New security/stability upstream release (v2.0.0.14)
    - see USN-602-1

 -- Alexander Sack < <email address hidden>> Fri, 18 Apr 2008 12:57:37 +0200

firefox (2.0.0.14+2nobinonly-0ubuntu0.7.10) gutsy-security; urgency=low

  * New security/stability upstream release (v2.0.0.14)
    - see USN-602-1

 -- Alexander Sack < <email address hidden>> Fri, 18 Apr 2008 13:02:41 +0200

firefox (2.0.0.14+2nobinonly-0ubuntu1) hardy; urgency=low

  * New security/stability upstream release (v2.0.0.14)
    - see USN-602-1
  * fix "shipped nss links don't point to latest so version"
    - update firefox-2.links

 -- Alexander Sack < <email address hidden>> Fri, 18 Apr 2008 15:05:20 +0200

This bug was fixed in the package xulrunner - 1.8.1.14+nobinonly-1ubuntu1

---------------
xulrunner (1.8.1.14+nobinonly-1ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.8.1.14 (LP: #218534)
    Fixes USN-602-1 / mfsa-2008-20 / CVE-2008-1380
  * Merge from debian unstable (1.8.1.14-1). Remaining ubuntu changes:
    - debian/patches/88_force-no-pragma-visibility-for-gcc-4.2_4.3.dpatch
    - xulrunner alternative in /usr/bin
  * Update configure for the visibility patch:
    - update debian/patches/99_configure.dpatch

 -- Fabien Tassin <email address hidden> Fri, 2 May 2008 17:03:00 +0200

Thunderbird USN: http://www.ubuntu.com/usn/usn-605-1

This bug was fixed in the package seamonkey - 1.1.11+nobinonly-0ubuntu1

---------------
seamonkey (1.1.11+nobinonly-0ubuntu1) intrepid; urgency=low

  * New security upstream release: 1.1.11 (LP: #218534)
    Fixes USN-602-1, USN-619-1, USN-623-1 and USN-629-1
  * Refresh diverged patch:
    - update debian/patches/80_security_build.patch
  * Fix FTBFS with missing -lfontconfig
    - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
    - update debian/patches/series
  * Build with default gcc (hardy: 4.2, intrepid: 4.3)
    - update debian/rules
    - update debian/control

 -- Fabien Tassin <email address hidden> Tue, 29 Jul 2008 21:29:02 +0200

So... no love for seamonkey in hardy? latest package is still 1.1.9, a few months old by now...

This bug was fixed in the package seamonkey - 1.1.12+nobinonly-0ubuntu0.8.04.1

---------------
seamonkey (1.1.12+nobinonly-0ubuntu0.8.04.1) hardy-security; urgency=low

  * New security upstream release: 1.1.12 (LP: #276437)
    - CVE-2008-4070: Heap overflow when canceling newsgroup message
    - CVE-2008-4069: XBM image uninitialized memory reading
    - CVE-2008-4067..4068: resource: traversal vulnerabilities
    - CVE-2008-4065..4066: BOM characters stripped from JavaScript before execution
    - CVE-2008-4061..4064: Crashes with evidence of memory corruption
    - CVE-2008-4058..4060: Privilege escalation via XPCnativeWrapper pollution
    - CVE-2008-3837: Forced mouse drag
    - CVE-2008-3835: nsXMLDocument::OnChannelRedirect() same-origin violation
    - CVE-2008-0016: UTF-8 URL stack buffer overflow
  * Also includes security fixes from 1.1.11 and 1.1.10 (LP: #218534)
    - CVE-2008-2785: Remote code execution by overflowing CSS reference counter
    - CVE-2008-2811: Crash and remote code execution in block reflow
    - CVE-2008-2810: Remote site run as local file via Windows URL shortcut
    - CVE-2008-2809: Peer-trusted certs can use alt names to spoof
    - CVE-2008-2808: File location URL in directory listings not escaped properly
    - CVE-2008-2807: Faulty .properties file results in uninitialized memory being used
    - CVE-2008-2806: Arbitrary socket connections with Java LiveConnect on Mac OS X
    - CVE-2008-2805: Arbitrary file upload via originalTarget and DOM Range
    - MFSA 2008-26 (follow-up of CVE-2008-0304): Buffer length checks in MIME processing
    - CVE-2008-2803: Arbitrary code execution in mozIJSSubScriptLoader.loadSubScript()
    - CVE-2008-2802: Chrome script loading from fastload file
    - CVE-2008-2801: Signed JAR tampering
    - CVE-2008-2800: XSS through JavaScript same-origin violation
    - CVE-2008-2798..2799: Crashes with evidence of memory corruption
    - CVE-2008-1380: Crash in JavaScript garbage collector
  * Refresh diverged patch:
    - update debian/patches/80_security_build.patch
  * Fix FTBFS with missing -lfontconfig
    - add debian/patches/11_fix_ftbfs_with_fontconfig.patch
    - update debian/patches/series

 -- Fabien Tassin <email address hidden> Tue, 30 Sep 2008 22:44:30 +0200

what is up with the hardy xulrunner task, is that meant to be left open?

On Tue, Feb 03, 2009 at 05:32:02AM -0000, Rolf Leggewie wrote:
> what is up with the hardy xulrunner task, is that meant to be left open?
>

hardy xulrunner packages havent been updated yet. so yes.

 - Alexander

hardy got updated during the 3.0.8 release