On Tue, 11 Aug 2009 11:47:50 +0200, Alexander Sack wrote:
> On Mon, Aug 10, 2009 at 07:47:29PM -0400, Michael S Gilbert wrote:
> > Package: xulrunner
> > Version: 1.9.1.1-2
> > Severity: grave
> > Tags: security
> > 
> > Hi,
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for xulrunner.
> > 
> > CVE-2009-2663[0]:
> > | libvorbis before r16182, as used in Mozilla Firefox before 3.0.13 and
> > | 3.5.x before 3.5.2 and other products, allows context-dependent
> > | attackers to cause a denial of service (memory corruption and
> > | application crash) or possibly execute arbitrary code via a crafted
> > | .ogg file.
> > 
> > This does not affect versions 1.9.0.12 and earlier, so no updates
> > are needed for the stable releases.
> 
> The summary you pasted suggest that "before" 3.0.13 is affected, which
> would mean that xul 1.9.0.12 would be affected too; but OTOH, 1.9
> branch didnt have any libvorbis/codec support afaik. So this feels
> like a typo in the CVE. Anyway. xul should probably be updated to .13
> anyway in stable.

yes, this is a flaw in the cve text (which often you can't take at
face value). i checked the source, and vorbis is not present in 1.9.0.12
or before, and i doubt it will be introduced in 1.9.0.13, but i could
be wrong.

mike



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to