Subject: iceweasel: crash/exploit
Package: iceweasel
Version: 2.0.0.11-1
Severity: grave
Justification: user security hole
Tags: security
When browsing around web sites that I supposed were harmless
(en.wikipedia.org, some newspaper websites) I got crashes, plus
coredumps. The next morning, I got a message from my ISP that my
system had been used for sending out spam.
After the fact, I installed iceweasel-dgb and ran gdb on the
resulting corefile. Output from a gdb session is included.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.22-3-k7 (SMP w/1 CPU core)
Locale: LANG=C, [EMAIL PROTECTED] (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages iceweasel depends on:
ii debianutils 2.28.2 Miscellaneous utilities
specific t
ii fontconfig 2.5.0-2 generic font configuration
library
ii libatk1.0-0 1.20.0-1 The ATK accessibility
toolkit
ii libc6 2.7-5 GNU C Library: Shared
libraries
ii libcairo2 1.4.10-1 The Cairo 2D vector
graphics libra
ii libfontconfig1 2.5.0-2 generic font configuration
library
ii libfreetype6 2.3.5-1+b1 FreeType 2 font engine,
shared lib
ii libgcc1 1:4.2.2-4 GCC support library
ii libglib2.0-0 2.14.3-1 The GLib library of C
routines
ii libgtk2.0-0 2.12.1-1 The GTK+ graphical user
interface
ii libhunspell-1.1-0 1.1.9-1 spell checker and
morphological an
ii libjpeg62 6b-14 The Independent JPEG
Group's JPEG
ii libnspr4-0d 4.7.0~1.9b1-2 NetScape Portable Runtime
Library
ii libnss3-0d 3.12.0~1.9b1-2 Transition package for
Network Sec
ii libpango1.0-0 1.18.4-1 Layout and rendering of
internatio
ii libpng12-0 1.2.15~beta5-3 PNG library - runtime
ii libstdc++6 4.2.2-4 The GNU Standard C++
Library v3
ii libx11-6 2:1.0.3-7 X11 client-side library
ii libxft2 2.1.12-2 FreeType-based font drawing
librar
ii libxinerama1 1:1.0.2-1 X11 Xinerama extension
library
ii libxp6 1:1.0.0.xsf1-1 X Printing Extension
(Xprint) clie
ii libxrender1 1:0.9.4-1 X Rendering Extension
client libra
ii libxt6 1:1.0.5-3 X11 toolkit intrinsics
library
ii procps 1:3.2.7-5 /proc file system utilities
ii psmisc 22.6-1 Utilities that use the proc
filesy
ii zlib1g 1:1.2.3.3.dfsg-8 compression library -
runtime
iceweasel recommends no packages.
-- no debconf information
#0 0xffffe410 in __kernel_vsyscall ()
No symbol table info available.
#1 0xb7d84d30 in raise () from /lib/i686/cmov/libpthread.so.0
No symbol table info available.
#2 0x080859ad in nsProfileLock::FatalSignalHandler (signo=11) at
nsProfileLock.cpp:206
unblock_sigs = {__val = {1024, 0 <repeats 31 times>}}
oldact = <value optimized out>
#3 <signal handler called>
No symbol table info available.
#4 0x08380496 in nsTextFrame::Paint (this=0xab98bdc, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsTextFrame.cpp:594
ts = {<nsTextFrame::TextStyle> = {mFont = 0xaac5660, mText = 0xaac55dc,
mNormalFont = 0x0, mSmallFont = 0x6, mLastFont = 0x9fe2ec8, mSmallCaps =
-1075394440, mWordSpacing = 138320531, mLetterSpacing = 167653020, mSpaceWidth
= 2, mAveCharWidth = 0, mJustifying = 1, mPreformatted = 167653064,
mNumJustifiableCharacterToRender = 167650952, mNumJustifiableCharacterToMeasure
= -1075394392, mExtraSpacePerJustifiableCharacter = 144025951,
mNumJustifiableCharacterReceivingExtraJot = 165304272}, mColor = 0xbfe6c8a0,
mSelectionTextColor = 3219572904, mSelectionBGColor = 136841890}
sc = (nsStyleContext *) 0xaabb0d4
isVisible = 1
#5 0x083366ad in nsContainerFrame::PaintChild (this=0xab98ba8,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED], aFrame=0xab98bdc,
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:286
translate = {mCtx = 0x9da57d0, mPushed = {mSavedX = 193.235291, mSavedY
= 11.4114714}}
kidRect = {x = 0, y = 0, width = 1377, height = 272}
damageArea = {x = 0, y = 0, width = 1377, height = 272}
overlap = <value optimized out>
#6 0x08336525 in nsContainerFrame::PaintChildren (this=0xab98ba8,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:231
kid = (class nsIFrame *) 0xab98bdc
#7 0x0834c44a in nsHTMLContainerFrame::PaintDecorationsAndChildren
(this=0xab98ba8, aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aIsBlock=0, aFlags=0) at
nsHTMLContainerFrame.cpp:136
underColor = 272
overColor = 3281
strikeColor = <value optimized out>
decorations = 0 '\0'
fm = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
isVisible = 1
#8 0x08358e84 in nsInlineFrame::Paint (this=0xab98ba8, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsInlineFrame.cpp:326
No locals.
#9 0x083366ad in nsContainerFrame::PaintChild (this=0xab98b58,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED], aFrame=0xab98ba8,
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:286
translate = {mCtx = 0x9da57d0, mPushed = {mSavedX = 193.235291, mSavedY
= 9.94088268}}
kidRect = {x = 0, y = 25, width = 3281, height = 272}
damageArea = {x = 0, y = 0, width = 3281, height = 272}
overlap = <value optimized out>
#10 0x083298c0 in nsBlockFrame::PaintChildren (this=0xab98b58,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsBlockFrame.cpp:6483
lineArea = {x = 0, y = 0, width = 3281, height = 323}
nonDecreasingYs = 1
lineCount = 0
lastY = 0
lastYMost = 323
cursor = <value optimized out>
#11 0x0834c44a in nsHTMLContainerFrame::PaintDecorationsAndChildren
(this=0xab98b58, aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aIsBlock=1, aFlags=0) at
nsHTMLContainerFrame.cpp:136
underColor = 7
overColor = 170738172
strikeColor = <value optimized out>
decorations = 0 '\0'
fm = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
isVisible = 1
#12 0x083295dd in nsBlockFrame::Paint (this=0xab98b58, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsBlockFrame.cpp:6377
paintingSuppressed = 0
disp = (const nsStyleDisplay *) 0xa2d431c
#13 0x083366ad in nsContainerFrame::PaintChild (this=0xab98acc,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED], aFrame=0xab98b58,
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:286
translate = {mCtx = 0x9da57d0, mPushed = {mSavedX = 193.235291, mSavedY
= 9.94088268}}
kidRect = {x = 0, y = 0, width = 18022, height = 323}
damageArea = {x = 0, y = 0, width = 18022, height = 323}
overlap = <value optimized out>
#14 0x083298c0 in nsBlockFrame::PaintChildren (this=0xab98acc,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsBlockFrame.cpp:6483
lineArea = {x = 0, y = 0, width = 18022, height = 323}
nonDecreasingYs = 1
lineCount = 1
lastY = 0
lastYMost = 323
cursor = <value optimized out>
#15 0x0834c44a in nsHTMLContainerFrame::PaintDecorationsAndChildren
(this=0xab98acc, aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aIsBlock=1, aFlags=0) at
nsHTMLContainerFrame.cpp:136
underColor = 7
overColor = 178846464
strikeColor = <value optimized out>
decorations = 0 '\0'
fm = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
isVisible = 1
#16 0x083295dd in nsBlockFrame::Paint (this=0xab98acc, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsBlockFrame.cpp:6377
paintingSuppressed = 0
disp = (const nsStyleDisplay *) 0xaa8fb50
#17 0x083366ad in nsContainerFrame::PaintChild (this=0xab98a40,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED], aFrame=0xab98acc,
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:286
translate = {mCtx = 0x9da57d0, mPushed = {mSavedX = 167.941177, mSavedY
= 9.94088268}}
kidRect = {x = 430, y = 0, width = 18022, height = 646}
damageArea = {x = 0, y = 0, width = 18022, height = 646}
overlap = <value optimized out>
#18 0x083298c0 in nsBlockFrame::PaintChildren (this=0xab98a40,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsBlockFrame.cpp:6483
lineArea = {x = 430, y = 0, width = 18022, height = 646}
nonDecreasingYs = 1
lineCount = 1
lastY = 0
lastYMost = 646
cursor = <value optimized out>
#19 0x0834c44a in nsHTMLContainerFrame::PaintDecorationsAndChildren
(this=0xab98a40, aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aIsBlock=1, aFlags=0) at
nsHTMLContainerFrame.cpp:136
underColor = 7
overColor = 169578812
strikeColor = <value optimized out>
decorations = 0 '\0'
fm = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
isVisible = 1
#20 0x083295dd in nsBlockFrame::Paint (this=0xab98a40, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsBlockFrame.cpp:6377
paintingSuppressed = 0
disp = (const nsStyleDisplay *) 0xa20cb3c
#21 0x083366ad in nsContainerFrame::PaintChild (this=0x983a818,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED], aFrame=0xab98a40,
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:286
translate = {mCtx = 0x9da57d0, mPushed = {mSavedX = 167.941177, mSavedY
= -6061.29443}}
kidRect = {x = 0, y = 103211, width = 18452, height = 646}
damageArea = {x = 0, y = 0, width = 18452, height = 646}
overlap = <value optimized out>
#22 0x083298c0 in nsBlockFrame::PaintChildren (this=0x983a818,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsBlockFrame.cpp:6483
lineArea = {x = 0, y = 103211, width = 18452, height = 646}
nonDecreasingYs = 0
lineCount = 147
lastY = 103211
lastYMost = 103857
cursor = <value optimized out>
#23 0x0834c44a in nsHTMLContainerFrame::PaintDecorationsAndChildren
(this=0x983a818, aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aIsBlock=1, aFlags=0) at
nsHTMLContainerFrame.cpp:136
underColor = 7
overColor = 170738172
strikeColor = <value optimized out>
decorations = 0 '\0'
fm = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
isVisible = 1
#24 0x083295dd in nsBlockFrame::Paint (this=0x983a818, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsBlockFrame.cpp:6377
paintingSuppressed = 0
disp = (const nsStyleDisplay *) 0xa2d431c
#25 0x083366ad in nsContainerFrame::PaintChild (this=0x9fe2f74,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED], aFrame=0x983a818,
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsContainerFrame.cpp:286
translate = {mCtx = 0x9da57d0, mPushed = {mSavedX = 154.294113, mSavedY
= -6100.58838}}
kidRect = {x = 232, y = 668, width = 18452, height = 158212}
damageArea = {x = -232, y = 103042, width = 18899, height = 1020}
overlap = <value optimized out>
#26 0x083298c0 in nsBlockFrame::PaintChildren (this=0x9fe2f74,
aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aFlags=0) at nsBlockFrame.cpp:6483
lineArea = {x = 232, y = 611, width = 18452, height = 158269}
nonDecreasingYs = 1
lineCount = 3
lastY = 611
lastYMost = 158880
cursor = <value optimized out>
#27 0x0834c44a in nsHTMLContainerFrame::PaintDecorationsAndChildren
(this=0x9fe2f74, aPresContext=0x9e90a58, [EMAIL PROTECTED], [EMAIL PROTECTED],
aWhichLayer=eFramePaintLayer_Overlay, aIsBlock=1, aFlags=0) at
nsHTMLContainerFrame.cpp:136
underColor = 7
overColor = 167653020
strikeColor = <value optimized out>
decorations = 0 '\0'
fm = {<nsCOMPtr_base> = {mRawPtr = 0x0}, <No data fields>}
isVisible = 1
#28 0x083295dd in nsBlockFrame::Paint (this=0x9fe2f74, aPresContext=0x9e90a58,
[EMAIL PROTECTED], [EMAIL PROTECTED], aWhichLayer=eFramePaintLayer_Overlay,
aFlags=0) at nsBlockFrame.cpp:6377
paintingSuppressed = 0
disp = (const nsStyleDisplay *) 0x9fe2ef4
#29 0x08316ab2 in PresShell::Paint (this=0x9ce70a0, aView=0xa222de0, [EMAIL
PROTECTED], [EMAIL PROTECTED]) at nsPresShell.cpp:5955
setClipRect = 0
frame = <value optimized out>
rv = <value optimized out>
#30 0x0852a11d in nsView::Paint (this=0xa222de0, [EMAIL PROTECTED], [EMAIL
PROTECTED], aPaintFlags=0, [EMAIL PROTECTED]) at nsView.cpp:314
observer = {<nsCOMPtr_base> = {mRawPtr = 0x9ce711c}, <No data fields>}
#31 0x0852b34d in nsViewManager::RenderDisplayListElement (this=0x9e90c20,
element=0x9f19018, aRC=0x9da57d0) at nsViewManager.cpp:1458
clipEmpty = 166826012
x = 2623
y = -90025
drect = {x = 0, y = 103710, width = 18899, height = 1020}
#32 0x08530e46 in nsViewManager::RenderViews (this=0x9e90c20,
aRootView=0x9ebf6a0, [EMAIL PROTECTED], [EMAIL PROTECTED],
aRCSurface=0x971aea8, [EMAIL PROTECTED]) at nsViewManager.cpp:1373
RCs = {0x9da57d0, 0x0}
i = 5
index = 7
fakeClipRect = {x = 0, y = 0, width = 0, height = 0}
anyRendered = 1
widget = (nsIWidget *) 0x9ec03a0
translucentWindow = 0
buffers = (BlendingBuffers *) 0x9c74530
filterStack = {<nsVoidArray> = {_vptr.nsVoidArray = 0x8b9d548, mImpl =
0xbfe6d2d8}, mAutoBuf = "\b", '\0' <repeats 11 times>,
"@Óæ¿\030Óæ¿\n\r(\b\230ug\t\000\000\000\000\000\000\000\000ò\004\000"}
#33 0x085321b0 in nsViewManager::Refresh (this=0x9e90c20, aView=0x9ebf6a0,
aContext=0x9da57d0, aRegion=0x9a974e8, aUpdateFlags=1) at nsViewManager.cpp:929
i = <value optimized out>
viewRect = {x = 0, y = 0, width = 21522, height = 14705}
damageRegion = {mRectCount = 1, mCurRect = 0x8bb3624, mRectListHead =
{<nsRegion::nsRectFast> = {<nsRect> = {x = 0, y = 0, width = 0, height = 0},
<No data fields>}, prev = 0x8bb3624, next = 0x8bb3624}, mBoundRect = {<nsRect>
= {x = 0, y = 13685, width = 21522, height = 1020}, <No data fields>}}
localcx = {<nsCOMPtr_base> = {mRawPtr = 0x9da57d0}, <No data fields>}
ds = (class nsIDrawingSurface *) 0x971aea8
damageRect = {x = 0, y = 13685, width = 21522, height = 1020}
widgetDamageRectInPixels = {x = 0, y = 805, width = 1267, height = 61}
displayList = {<nsVoidArray> = {_vptr.nsVoidArray = 0x8b9d548, mImpl =
0xbfe6d3a8}, mAutoBuf =
"\b\000\000\000\a\000\000\000p\221ñ\t(\221ñ\tà\220ñ\t¨\220ñ\tp\220ñ\t\030\220ñ\tÐ\217ñ\t\000\000\000"}
displayArena = {first = {next = 0x9f18fc0, base = 3219575824, limit =
3219575824, avail = 3219575824}, current = 0x9f18fc0, arenasize = 1024, mask =
3}
anyTransparentPixels = 0
needBlending = <value optimized out>
#34 0x08532acf in nsViewManager::DispatchEvent (this=0x9e90c20,
aEvent=0xbfe6d5cc, aStatus=0xbfe6d580) at nsViewManager.cpp:2051
rootVM = (nsViewManager *) 0x9e90c20
widget = <value optimized out>
translucentWindow = 0
didResize = <value optimized out>
view = (class nsView *) 0x9ebf6a0
region = {<nsCOMPtr_base> = {mRawPtr = 0x9a974e8}, <No data fields>}
#35 0x08529e56 in HandleEvent (aEvent=0xbfe6d5cc) at nsView.cpp:171
result = nsEventStatus_eConsumeNoDefault
#36 0x082dacd5 in nsCommonWidget::DispatchEvent (this=0x9ec03a0,
aEvent=0xbfe6d5cc, [EMAIL PROTECTED]) at nsCommonWidget.cpp:219
No locals.
#37 0x082d4175 in nsWindow::OnExposeEvent (this=0x9ec03a0, aWidget=0x8c72938,
aEvent=0xbfe6dc40) at nsWindow.cpp:1465
rc = {<nsCOMPtr_base> = {mRawPtr = 0x9da57d0}, <No data fields>}
updateRegion = {<nsCOMPtr_base> = {mRawPtr = 0x9a974e8}, <No data
fields>}
rects = (GdkRectangle *) 0x9a5fc00
nrects = <value optimized out>
event = {<nsGUIEvent> = {<nsEvent> = {eventStructType = 6 '\006',
message = 130, point = {x = 0, y = 805}, refPoint = {x = 0, y = 0}, time = 0,
flags = 0, internalAppFlags = 2, userType = 0x0}, widget = 0x9ec03a0, nativeMsg
= 0x0}, renderingContext = 0x9da57d0, region = 0x9a974e8, rect = 0x0}
status = nsEventStatus_eIgnore
kRegionCID = {m0 = 3777450736, m1 = 61082, m2 = 4561, m3 = "[EMAIL
PROTECTED](É"}
#38 0x082d41f9 in expose_event_cb (widget=0x8c72938, event=0xbfe6dc40) at
nsWindow.cpp:3813
window = (nsWindow *) 0xbfe6c864
#39 0xb7b4e9c4 in ?? () from /usr/lib/libgtk-x11-2.0.so.0
No symbol table info available.
#40 0x08c72938 in ?? ()
No symbol table info available.
#41 0xbfe6dc40 in ?? ()
No symbol table info available.
#42 0x00000000 in ?? ()
No symbol table info available.
Undefined command: "exit". Try "help".
