Bug#582590: iceweasel: firefox vulnerability causes a local DoS

Pedro R pedrib at gmail.com
Sat May 22 01:44:42 UTC 2010


Package: iceweasel
Version: 3.5.9-3
Severity: grave
Tags: security
Justification: causes non-serious data loss

Hi,

a new vulnerability has been discovered in several browsers, including Firefox/Iceweasel.

You can get more information here
http://www.securityfocus.com/archive/1/511327/100/0/threaded
http://translate.google.com/translate?hl=en&u=http://websecurity.com.ua/4206/&sl=uk&tl=en

The last link has a PoC, which I tested and crashed my machine (yes, I should have used
a virtual machine :( ).

Beware.

Regards,
Pedro



-- Package-specific info:

-- Extensions information
Name: Default
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: DownThemAll!
Location: ${PROFILE_EXTENSIONS}/{DDC359D1-844A-42a7-9AA1-88A850A938A8}
Status: enabled

Name: DownloadHelper
Location: ${PROFILE_EXTENSIONS}/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
Status: enabled

Name: FOXSCAPE
Location: ${PROFILE_EXTENSIONS}/{da7f40f0-8675-11db-b606-0800200c9a66}
Status: enabled

Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled

Name: LittleFox
Location: ${PROFILE_EXTENSIONS}/{29852C08-1E91-4889-A6BF-C77F91D6A8F3}
Status: enabled

Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}
Status: user-disabled

Name: ProxySel
Location: ${PROFILE_EXTENSIONS}/{71e95839-6f7e-470d-be54-77012fec6345}
Status: app-disabled

Name: Tamper Data
Location: ${PROFILE_EXTENSIONS}/{9c51bd27-6ed8-4000-a2bf-36cb95c0c947}
Status: app-disabled

Name: Torbutton
Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{e0204bd5-9d31-402b-a99d-a6aa8ffebdca}
Package: xul-ext-torbutton
Status: enabled

Name: VertTabbar
Location: ${PROFILE_EXTENSIONS}/verttabbar at frnchfrgg.org
Status: user-disabled

-- Plugins information
Name: DivX Browser Plug-In
Location: /home/botto/.mozilla/plugins/mplayerplug-in-dvx.so
Status: enabled

Name: IcedTea NPR Web Browser Plugin (using IcedTea6 1.8 (6b18-1.8-1))
Location: /usr/lib/jvm/java-6-openjdk/jre/lib/amd64/IcedTeaPlugin.so
Package: icedtea6-plugin
Status: enabled

Name: QuickTime Plug-in 7.4.5
Location: /home/botto/.mozilla/plugins/mplayerplug-in-qt.so
Status: enabled

Name: RealPlayer 9
Location: /home/botto/.mozilla/plugins/mplayerplug-in-rm.so
Status: enabled

Name: Shockwave Flash
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled

Name: Windows Media Player Plug-in
Location: /home/botto/.mozilla/plugins/mplayerplug-in-wmp.so
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled

Name: mplayerplug-in 2008/12/26
Location: /home/botto/.mozilla/plugins/mplayerplug-in.so
Status: enabled


-- Addons package information
ii  icedtea6-plugi 6b18-1.8-1     web browser plugin based on OpenJDK and Iced
ii  iceweasel      3.5.9-3        Web browser based on Firefox
ii  rhythmbox-plug 0.12.8-1+b1    plugins for rhythmbox music player
ii  xul-ext-torbut 1.2.5-1        Iceweasel/Firefox extension enabling 1-click

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (700, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.34-toi-a4dj (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages iceweasel depends on:
ii  debianutils                   3.2.3      Miscellaneous utilities specific t
ii  fontconfig                    2.8.0-2.1  generic font configuration library
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
ii  libglib2.0-0                  2.24.1-1   The GLib library of C routines
ii  libgtk2.0-0                   2.20.1-1   The GTK+ graphical user interface 
ii  libnspr4-0d                   4.8.4-1    NetScape Portable Runtime Library
ii  libstdc++6                    4.4.4-1    The GNU Standard C++ Library v3
ii  procps                        1:3.2.8-9  /proc file system utilities
ii  xulrunner-1.9.1               1.9.1.9-7  XUL + XPCOM application runner

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  latex-xft-fonts             1.6.5-1      TrueType versions of some TeX font
ii  libgssapi-krb5-2            1.8.1+dfsg-2 MIT Kerberos runtime libraries - k
pn  mozplugger                  <none>       (no description available)
ii  ttf-lyx                     1.6.5-1      TrueType versions of some TeX font
pn  ttf-mathematica4.1          <none>       (no description available)
ii  xfonts-mathml               4            Type1 Symbol font for MathML
pn  xprint                      <none>       (no description available)

Versions of packages xulrunner-1.9.1 depends on:
ii  libasound2              1.0.22-2         shared library for ALSA applicatio
ii  libatk1.0-0             1.30.0-1         The ATK accessibility toolkit
ii  libbz2-1.0              1.0.5-4          high-quality block-sorting file co
ii  libc6                   2.10.2-6         Embedded GNU C Library: Shared lib
ii  libcairo2               1.8.10-4         The Cairo 2D vector graphics libra
ii  libdbus-1-3             1.2.24-1         simple interprocess messaging syst
ii  libfontconfig1          2.8.0-2.1        generic font configuration library
ii  libfreetype6            2.3.11-1         FreeType 2 font engine, shared lib
ii  libgcc1                 1:4.4.4-1        GCC support library
ii  libglib2.0-0            2.24.1-1         The GLib library of C routines
ii  libgtk2.0-0             2.20.1-1         The GTK+ graphical user interface 
ii  libhunspell-1.2-0       1.2.8-6          spell checker and morphological an
ii  libjpeg62               6b-16.1          The Independent JPEG Group's JPEG 
ii  libmozjs2d              1.9.1.9-7        The Mozilla SpiderMonkey JavaScrip
ii  libnspr4-0d             4.8.4-1          NetScape Portable Runtime Library
ii  libnss3-1d              3.12.6-2         Network Security Service libraries
ii  libpango1.0-0           1.28.0-1         Layout and rendering of internatio
ii  libpng12-0              1.2.43-1         PNG library - runtime
ii  libreadline6            6.1-1            GNU readline and history libraries
ii  libsqlite3-0            3.6.23.1-2       SQLite 3 shared library
ii  libstartup-notification 0.10-1           library for program launch feedbac
ii  libstdc++6              4.4.4-1          The GNU Standard C++ Library v3
ii  libx11-6                2:1.3.3-3        X11 client-side library
ii  libxrender1             1:0.9.5-2        X Rendering Extension client libra
ii  libxt6                  1:1.0.7-1        X11 toolkit intrinsics library
ii  zlib1g                  1:1.2.3.4.dfsg-3 compression library - runtime

-- no debconf information





More information about the pkg-mozilla-maintainers mailing list