On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote: > On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote: > > Package: xulrunner > > Version: 1.9.1.1-2 > > Severity: grave > > Tags: security > > > > Hi, > > the following CVE (Common Vulnerabilities & Exposures) id was > > published for xulrunner. > > > > CVE-2009-2663[0]: > > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and > > | 3.5.x before 3.5.2 and other products, allows context-dependent > > | attackers to cause a denial of service (memory corruption and > > | application crash) or possibly execute arbitrary code via a crafted > > | .ogg file. > > > > This does not affect versions 1.9.0.12 and earlier, so no updates > > are needed for the stable releases. > > The summary you pasted suggest that "before" 3.0.13 is affected, which > would mean that xul 1.9.0.12 would be affected too; but OTOH, 1.9 > branch didnt have any libvorbis/codec support afaik. So this feels > like a typo in the CVE. Anyway. xul should probably be updated to .13 > anyway in stable.
yes, this is a flaw in the cve text (which often you can't take at face value). i checked the source, and vorbis is not present in 1.9.0.12 or before, and i doubt it will be introduced in 1.9.0.13, but i could be wrong. mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org