Secure testing team - Mar 2007 - Some mozilla security bug updates

Hi,

I just discovered http://security-tracker.debian.net/tracker/ (shame on
me not to have known it earlier) and have some comments for some bugs
affecting mozilla-based packages.

CVE-2006-6506 doesn''t apply to iceape
CVE-2007-1116 also applies to xulrunner, and is reported as debian bugs
#415919, #415944 and #415945.
CVE-2006-6507 does apply neither to iceape nor to xulrunner
CVE-2006-0496 also affects iceape and xulrunner
CVE-2007-0801 also affects iceape and xulrunner, but, according to
https://bugzilla.mozilla.org/show_bug.cgi?id=369428, is fixed since
iceweasel 2.0.0.2, iceape 1.0.8 and xulrunner 1.8.0.10.

I guess CVE-2007-1004 affects iceape, and *may* affect browsers based on
xulrunner.
CVE-2007-1084 may affect iceape and browsers based on xulrunner.

I can''t reproduce CVE-2006-4561 with xulrunner. Neither in 1.8.0.10-3
nor in earlier (I tried 1.8.0.5-4) version... Anyways, if firefox indeed
got fixed in 1.5.0.7, then it means xulrunner was fixed in 1.8.0.7-1.
And if the fix was really done in mozilla code base 1.8.0.7, then iceape
was never exposed.

Cheers,

Mike

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike,


Mike Hommey wrote:
> 
> I just discovered http://security-tracker.debian.net/tracker/ (shame on
> me not to have known it earlier) and have some comments for some bugs
> affecting mozilla-based packages.
> 
> CVE-2006-6506 doesn''t apply to iceape
> CVE-2007-1116 also applies to xulrunner, and is reported as debian bugs
> #415919, #415944 and #415945.
> CVE-2006-6507 does apply neither to iceape nor to xulrunner
> CVE-2006-0496 also affects iceape and xulrunner
I made these changes, thanks.
> CVE-2007-0801 also affects iceape and xulrunner, but, according to
> https://bugzilla.mozilla.org/show_bug.cgi?id=369428, is fixed since
> iceweasel 2.0.0.2, iceape 1.0.8 and xulrunner 1.8.0.10.
In this case, I put:

        - iceweasel 2.0.0.2+dfsg-1 (low)
        - iceape 1.0.8-1 (low)
        - xulrunner 1.8.0.10-1 (low)

Meaning those were the debian packages this was fixed in, please correct
me if I am wrong.
> I guess CVE-2007-1004 affects iceape, and *may* affect browsers based on
> xulrunner.
> CVE-2007-1084 may affect iceape and browsers based on xulrunner.
Ok, I''ll add iceape, let us know if you determine otherwise. Also, you
say that it may affect browsers based on xulrunner, I guess I am noting
that xulrunner is affected then? What other browsers use xulrunner embeded?
> 
> I can''t reproduce CVE-2006-4561 with xulrunner. Neither in
1.8.0.10-3
> nor in earlier (I tried 1.8.0.5-4) version... Anyways, if firefox indeed
> got fixed in 1.5.0.7, then it means xulrunner was fixed in 1.8.0.7-1.
> And if the fix was really done in mozilla code base 1.8.0.7, then iceape
> was never exposed.
Noted xulrunner as fixed in 1.8.0.7-1.

Thanks for the updates!
Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGBFXC9n4qXRzy1ioRAuSvAJ4um+e4+CaXCOmN5l0vudadxBL91wCgkMBI
nVPAD4M5eKfQe+br6620qQM=1g8Q
-----END PGP SIGNATURE-----

On Fri, Mar 23, 2007 at 04:33:39PM -0600, Micah Anderson
<micah@riseup.net> wrote:
> > I guess CVE-2007-1004 affects iceape, and *may* affect browsers based
on
> > xulrunner.
> > CVE-2007-1084 may affect iceape and browsers based on xulrunner.
> 
> Ok, I''ll add iceape, let us know if you determine otherwise. Also,
you
> say that it may affect browsers based on xulrunner, I guess I am noting
> that xulrunner is affected then? What other browsers use xulrunner embeded?
xulrunner by itself is not affected, it depends what browsers that use
it allow to remove from their ui and how easy it may be to make
something look like it with remote content. This can actually affect any
browser.

FWIW, xulrunner-using browsers are, AFAIK, epiphany, galeon and
kazehakase.

Mike