Secure testing commits - Jul 2006 - r4478 - data/CVE

Author: stef-guest
Date: 2006-07-31 17:58:15 +0000 (Mon, 31 Jul 2006)
New Revision: 4478

Modified:
   data/CVE/list
Log:
- track MFSA-2006-46 to -56
- firefox has been fixed


Modified: data/CVE/list
==================================================================---
data/CVE/list	2006-07-30 16:55:27 UTC (rev 4477)
+++ data/CVE/list	2006-07-31 17:58:15 UTC (rev 4478)
@@ -49,30 +49,109 @@
 	- cheesetracker <unfixed> (bug #380364; low)
 CVE-2006-3813
 	RESERVED
-CVE-2006-3812
+CVE-2006-3812 [firefox/mozilla  chrome: scheme loading remote content]
 	RESERVED
-CVE-2006-3811
+	NOTE: MFSA-2006-56
+	- mozilla <unfixed> (medium)
+	- xulrunner <unfixed> (medium)
+	- mozilla-firefox <removed> (medium)
+	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
+	- thunderbird <unfixed> (unimportant)
+	- mozilla-thunderbird <removed> (unimportant)
+CVE-2006-3811 [firefox/mozilla Crashes with evidence of memory corruption
(rv:1.8.0.5)]
 	RESERVED
-CVE-2006-3810
+	NOTE: MFSA-2006-55
+	- mozilla <unfixed> (high)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <removed> (high)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <removed> (medium)
+CVE-2006-3810 [firefox/mozilla XSS with XPCNativeWrapper(window).Function(...)]
 	RESERVED
-CVE-2006-3809
+	NOTE: MFSA-2006-54
+	- mozilla <not-affected> (mozilla 1.7 not affected)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <not-affected> (only firefox >= 1.5)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <not-affected>
+CVE-2006-3809 [firefox/mozilla UniversalBrowserRead privilege escalation]
 	RESERVED
-CVE-2006-3808
+	NOTE: MFSA-2006-53
+	- mozilla <unfixed> (medium)
+	- xulrunner <unfixed> (medium)
+	- mozilla-firefox <removed> (medium)
+	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <removed> (medium)
+CVE-2006-3808 [firefox/mozilla PAC privilege escalation using
Function.prototype.call]
 	RESERVED
-CVE-2006-3807
+	NOTE: MFSA-2006-52
+	- mozilla <unfixed> (medium)
+	- xulrunner <unfixed> (medium)
+	- mozilla-firefox <removed> (medium)
+	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
+CVE-2006-3807 [firefox/mozilla Privilege escalation using named-functions and
redefined "new Object()"]
 	RESERVED
-CVE-2006-3806
+	NOTE: MFSA-2006-51
+	- mozilla <unfixed> (high)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <removed> (high)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <removed> (medium)
+CVE-2006-3806 [firefox/mozilla JavaScript engine vulnerabilities]
 	RESERVED
-CVE-2006-3805
+	NOTE: MFSA-2006-50
+	- mozilla <unfixed> (high)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <removed> (high)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <removed> (medium)
+CVE-2006-3805 [firefox/mozilla JavaScript engine vulnerabilities]
 	RESERVED
-CVE-2006-3804
+	NOTE: MFSA-2006-50
+	- mozilla <unfixed> (high)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <removed> (high)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <removed> (medium)
+CVE-2006-3804 [thunderbird/mozilla  Heap buffer overwrite on malformed VCard]
 	RESERVED
-CVE-2006-3803
+	NOTE: MFSA-2006-49
+	- mozilla <unfixed> (high)
+	- thunderbird <unfixed> (high)
+	- mozilla-thunderbird <removed> (high)
+CVE-2006-3803 [firefox/mozilla  JavaScript new Function race condition]
 	RESERVED
-CVE-2006-3802
+	NOTE: MFSA-2006-48
+	- mozilla <not-affected> (mozilla 1.7 not affected)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <not-affected> (only firefox >= 1.5)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <not-affected>
+CVE-2006-3802 [firefox/mozilla Native DOM methods can be hijacked across
domains]
 	RESERVED
-CVE-2006-3801
+	NOTE: MFSA-2006-47
+	- mozilla <not-affected> (mozilla 1.7 not affected)
+	- xulrunner <unfixed> (medium)
+	- mozilla-firefox <not-affected> (only firefox >= 1.5)
+	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <not-affected>
+CVE-2006-3801 [firefox/mozilla Code execution through deleted frame reference]
 	RESERVED
+	NOTE: MFSA-2006-44
+	- mozilla-firefox <not-affected> (only firefox >= 1.5)
+	- mozilla-thunderbird <not-affected> (only firefox >= 1.5)
+	- mozilla <not-affected> (mozilla 1.7 not affected)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- xulrunner <unfixed> (high)
+	- thunderbird <unfixed> (medium)
 CVE-2006-3800 (Cross-site scripting (XSS) vulnerability in Amazing Flash
AFCommerce ...)
 	NOT-FOR-US: AFCommerce
 CVE-2006-3799 (DeluxeBB 1.07 and earlier allows remote attackers to bypass SQL
...)
@@ -332,8 +411,15 @@
 	NOT-FOR-US: FatWire Content Server
 CVE-2006-3678
 	RESERVED
-CVE-2006-3677
+CVE-2006-3677 [mozilla/firefox  Javascript navigator Object Vulnerability]
 	RESERVED
+	NOTE: MFSA-2006-45
+	- mozilla <not-affected> (mozilla 1.7 not affected)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <not-affected> (only firefox >= 1.5)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <not-affected>
+	- mozilla-thunderbird <not-affected>
 CVE-2006-3676 (admin/gallery_admin.php in planetGallery before 14.07.2006
allows remote ...)
 	TODO: check
 CVE-2006-3675
@@ -1504,8 +1590,15 @@
 	NOT-FOR-US: phpRaid
 CVE-2006-3114
 	RESERVED
-CVE-2006-3113
+CVE-2006-3113 [mozilla/firefox  Memory corruption with simultaneous events]
 	RESERVED
+	NOTE: MFSA-2006-46
+	- mozilla <not-affected> (mozilla 1.7 not affected)
+	- xulrunner <unfixed> (high)
+	- mozilla-firefox <not-affected> (only firefox >= 1.5)
+	- firefox 1.5.dfsg+1.5.0.5-1 (high)
+	- thunderbird <unfixed> (medium)
+	- mozilla-thunderbird <not-affected>
 CVE-2006-3112 (Chipmailer 1.09 allows remote attackers to obtain sensitive ...)
 	NOT-FOR-US: Chipmailer
 CVE-2006-3111 (Multiple SQL injection vulnerabilities in main.php in Chipmailer
1.09 ...)

Stefan Fritsch wrote:
> Author: stef-guest
> Date: 2006-07-31 17:58:15 +0000 (Mon, 31 Jul 2006)
> New Revision: 4478
> 
> Modified:
>    data/CVE/list
> Log:
> - track MFSA-2006-46 to -56
> - firefox has been fixed
> 
> 
> Modified: data/CVE/list
> ==================================================================> ---
data/CVE/list	2006-07-30 16:55:27 UTC (rev 4477)
> +++ data/CVE/list	2006-07-31 17:58:15 UTC (rev 4478)
> @@ -49,30 +49,109 @@
>  	- cheesetracker <unfixed> (bug #380364; low)
>  CVE-2006-3813
>  	RESERVED
> -CVE-2006-3812
> +CVE-2006-3812 [firefox/mozilla  chrome: scheme loading remote content]
>  	RESERVED
> -CVE-2006-3811
> +	NOTE: MFSA-2006-56
> +	- mozilla <unfixed> (medium)
> +	- xulrunner <unfixed> (medium)
> +	- mozilla-firefox <removed> (medium)
> +	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
> +	- thunderbird <unfixed> (unimportant)
> +	- mozilla-thunderbird <removed> (unimportant)
<removed> entries are not required for transitional source package names
like this, the tracker notices that they are not present in a suite. 

Cheers,
        Moritz

On Monday 31 July 2006 20:49, Moritz Muehlenhoff wrote:
> Stefan Fritsch wrote:
> > +CVE-2006-3812 [firefox/mozilla  chrome: scheme loading remote
> > content] RESERVED
> > -CVE-2006-3811
> > +	NOTE: MFSA-2006-56
> > +	- mozilla <unfixed> (medium)
> > +	- xulrunner <unfixed> (medium)
> > +	- mozilla-firefox <removed> (medium)
> > +	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
> > +	- thunderbird <unfixed> (unimportant)
> > +	- mozilla-thunderbird <removed> (unimportant)
>
> <removed> entries are not required for transitional source package
> names like this, the tracker notices that they are not present in a
> suite.
mozilla-firefox in unstable is a transitional binary package (built 
from the firefox source package). There is no source package 
mozilla-firefox anymore.

I meant to mark the mozilla-firefox source package in sarge as 
vulnerable. I think the following three entries are equivalent in 
this case:

- mozilla-firefox <removed>
- mozilla-firefox <unfixed>
[sarge] - mozilla-firefox <unfixed>

Or am I missing something?

Cheers,
Stefan

PS: stef-guest@costa.debian.org won''t reach me.

* Stefan Fritsch:
> I meant to mark the mozilla-firefox source package in sarge as 
> vulnerable. I think the following three entries are equivalent in 
> this case:
>
> - mozilla-firefox <removed>
> - mozilla-firefox <unfixed>
> [sarge] - mozilla-firefox <unfixed>
>
> Or am I missing something?
The code agrees with you.

                        elif v in (''unfixed'',
''removed''):
                            pkg_notes.append(PackageNoteParsed
                                             (p, None, d, release=release))

("None" in this context means "unfixed".)

Since the package is only present in sarge, the release annotation (or
the lack thereof) doesn''t matter, either.

Stefan Fritsch wrote:
> On Monday 31 July 2006 20:49, Moritz Muehlenhoff wrote:
> > Stefan Fritsch wrote:
> > > +CVE-2006-3812 [firefox/mozilla  chrome: scheme loading remote
> > > content] RESERVED
> > > -CVE-2006-3811
> > > +	NOTE: MFSA-2006-56
> > > +	- mozilla <unfixed> (medium)
> > > +	- xulrunner <unfixed> (medium)
> > > +	- mozilla-firefox <removed> (medium)
> > > +	- firefox 1.5.dfsg+1.5.0.5-1 (medium)
> > > +	- thunderbird <unfixed> (unimportant)
> > > +	- mozilla-thunderbird <removed> (unimportant)
> >
> > <removed> entries are not required for transitional source
package
> > names like this, the tracker notices that they are not present in a
> > suite.
> 
> mozilla-firefox in unstable is a transitional binary package (built 
> from the firefox source package). There is no source package 
> mozilla-firefox anymore.
> 
> I meant to mark the mozilla-firefox source package in sarge as 
> vulnerable. I think the following three entries are equivalent in 
> this case:
> 
> - mozilla-firefox <removed>
> - mozilla-firefox <unfixed>
> [sarge] - mozilla-firefox <unfixed>
> 
> Or am I missing something?
It''s more or less the same, but <removed> was thought for
packages, which
have been removed as a whole without ever having been fixed.

Cheers,
        Moritz

On Tuesday 01 August 2006 19:59, Moritz Muehlenhoff
wrote:
> > - mozilla-firefox <removed>
> > - mozilla-firefox <unfixed>
> > [sarge] - mozilla-firefox <unfixed>
> >
> > Or am I missing something?
>
> It''s more or less the same, but <removed> was thought for
packages,
> which have been removed as a whole without ever having been fixed.
Well, it''s been removed from unstable and won''t ever be fixed
there.
Unless there is a reason to use something else, I think this is the 
most logical version. And I do think that there should be some entry 
until the DSA is released.

Cheers,
Stefan

Stefan Fritsch wrote:
> > > - mozilla-firefox <removed>
> > > - mozilla-firefox <unfixed>
> > > [sarge] - mozilla-firefox <unfixed>
> > >
> > > Or am I missing something?
> >
> > It''s more or less the same, but <removed> was thought
for packages,
> > which have been removed as a whole without ever having been fixed.
> 
> Well, it''s been removed from unstable and won''t ever be
fixed there.
> Unless there is a reason to use something else, I think this is the 
> most logical version. And I do think that there should be some entry 
> until the DSA is released.
IIRC: (However, I don''t care much, feel free to use what you like
best!)
unfixed -> supported package, continues to exist, even if under different
           source package name
removed -> no longer in the archive, open issues, but no security support,
           typically unsupportable garbage

And we still support firefox in Sarge, even if it''s unsupportable 
garbage :-)

Cheers,
        Moritz