Bug#582590: iceweasel: firefox vulnerability causes a local DoS
Pedro R
pedrib at gmail.com
Sat May 22 01:44:42 UTC 2010
Package: iceweasel
Version: 3.5.9-3
Severity: grave
Tags: security
Justification: causes non-serious data loss
Hi,
a new vulnerability has been discovered in several browsers, including Firefox/Iceweasel.
You can get more information here
http://www.securityfocus.com/archive/1/511327/100/0/threaded
http://translate.google.com/translate?hl=en&u=http://websecurity.com.ua/4206/&sl=uk&tl=en
The last link has a PoC, which I tested and crashed my machine (yes, I should have used
a virtual machine :( ).
Beware.
Regards,
Pedro
-- Package-specific info:
-- Extensions information
Name: Default
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: DownThemAll!
Location: ${PROFILE_EXTENSIONS}/{DDC359D1-844A-42a7-9AA1-88A850A938A8}
Status: enabled
Name: DownloadHelper
Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
Status: enabled
Name: FOXSCAPE
Location: ${PROFILE_EXTENSIONS}/{da7f40f0-8675-11db-b606-0800200c9a66}
Status: enabled
Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled
Name: LittleFox
Location: ${PROFILE_EXTENSIONS}/{29852C08-1E91-4889-A6BF-C77F91D6A8F3}
Status: enabled
Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}
Status: user-disabled
Name: ProxySel
Location: ${PROFILE_EXTENSIONS}/{71e95839-6f7e-470d-be54-77012fec6345}
Status: app-disabled
Name: Tamper Data
Location: ${PROFILE_EXTENSIONS}/{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
Status: app-disabled
Name: Torbutton
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
Package: xul-ext-torbutton
Status: enabled
Name: VertTabbar
Location: ${PROFILE_EXTENSIONS}/verttabbar at frnchfrgg.org
Status: user-disabled
-- Plugins information
Name: DivX Browser Plug-In
Location: /home/botto/.mozilla/plugins/mplayerplug-in-dvx.so
Status: enabled
Name: IcedTea NPR Web Browser Plugin (using IcedTea6 1.8 (6b18-1.8-1))
Location: /usr/lib/jvm/java-6-openjdk/jre/lib/amd64/IcedTeaPlugin.so
Package: icedtea6-plugin
Status: enabled
Name: QuickTime Plug-in 7.4.5
Location: /home/botto/.mozilla/plugins/mplayerplug-in-qt.so
Status: enabled
Name: RealPlayer 9
Location: /home/botto/.mozilla/plugins/mplayerplug-in-rm.so
Status: enabled
Name: Shockwave Flash
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled
Name: Windows Media Player Plug-in
Location: /home/botto/.mozilla/plugins/mplayerplug-in-wmp.so
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
Name: mplayerplug-in 2008/12/26
Location: /home/botto/.mozilla/plugins/mplayerplug-in.so
Status: enabled
-- Addons package information
ii icedtea6-plugi 6b18-1.8-1 web browser plugin based on OpenJDK and Iced
ii iceweasel 3.5.9-3 Web browser based on Firefox
ii rhythmbox-plug 0.12.8-1+b1 plugins for rhythmbox music player
ii xul-ext-torbut 1.2.5-1 Iceweasel/Firefox extension enabling 1-click
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.34-toi-a4dj (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages iceweasel depends on:
ii debianutils 3.2.3 Miscellaneous utilities specific t
ii fontconfig 2.8.0-2.1 generic font configuration library
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libglib2.0-0 2.24.1-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface
ii libnspr4-0d 4.8.4-1 NetScape Portable Runtime Library
ii libstdc++6 4.4.4-1 The GNU Standard C++ Library v3
ii procps 1:3.2.8-9 /proc file system utilities
ii xulrunner-1.9.1 1.9.1.9-7 XUL + XPCOM application runner
iceweasel recommends no packages.
Versions of packages iceweasel suggests:
ii latex-xft-fonts 1.6.5-1 TrueType versions of some TeX font
ii libgssapi-krb5-2 1.8.1+dfsg-2 MIT Kerberos runtime libraries - k
pn mozplugger <none> (no description available)
ii ttf-lyx 1.6.5-1 TrueType versions of some TeX font
pn ttf-mathematica4.1 <none> (no description available)
ii xfonts-mathml 4 Type1 Symbol font for MathML
pn xprint <none> (no description available)
Versions of packages xulrunner-1.9.1 depends on:
ii libasound2 1.0.22-2 shared library for ALSA applicatio
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-4 high-quality block-sorting file co
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-4 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.24-1 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.4.4-1 GCC support library
ii libglib2.0-0 2.24.1-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface
ii libhunspell-1.2-0 1.2.8-6 spell checker and morphological an
ii libjpeg62 6b-16.1 The Independent JPEG Group's JPEG
ii libmozjs2d 1.9.1.9-7 The Mozilla SpiderMonkey JavaScrip
ii libnspr4-0d 4.8.4-1 NetScape Portable Runtime Library
ii libnss3-1d 3.12.6-2 Network Security Service libraries
ii libpango1.0-0 1.28.0-1 Layout and rendering of internatio
ii libpng12-0 1.2.43-1 PNG library - runtime
ii libreadline6 6.1-1 GNU readline and history libraries
ii libsqlite3-0 3.6.23.1-2 SQLite 3 shared library
ii libstartup-notification 0.10-1 library for program launch feedbac
ii libstdc++6 4.4.4-1 The GNU Standard C++ Library v3
ii libx11-6 2:1.3.3-3 X11 client-side library
ii libxrender1 1:0.9.5-2 X Rendering Extension client libra
ii libxt6 1:1.0.7-1 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
-- no debconf information
More information about the pkg-mozilla-maintainers
mailing list