Launchpad.net

CVE 2008-2801

Mozilla Firefox before 2.0.0.15 and SeaMonkey before 1.1.10 do not properly implement JAR signing, which allows remote attackers to execute arbitrary code via (1) injection of JavaScript into documents within a JAR archive or (2) a JAR archive that uses relative URLs to JavaScript files.

Related bugs and status

CVE-2008-2801 (Candidate) is related to these bugs:

Bug #218534: [Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14

		In	Importance	Status
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	firefox (Ubuntu)	Undecided	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	thunderbird (Ubuntu)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	seamonkey (Ubuntu)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	xulrunner (Ubuntu)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	firefox (Ubuntu Dapper)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	seamonkey (Ubuntu Dapper)	Undecided	Invalid
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	thunderbird (Ubuntu Dapper)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	xulrunner (Ubuntu Dapper)	Undecided	Invalid
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	firefox (Ubuntu Feisty)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	seamonkey (Ubuntu Feisty)	Undecided	Invalid
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	thunderbird (Ubuntu Feisty)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	xulrunner (Ubuntu Feisty)	Critical	Invalid
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	firefox (Ubuntu Gutsy)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	seamonkey (Ubuntu Gutsy)	Undecided	Invalid
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	thunderbird (Ubuntu Gutsy)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	xulrunner (Ubuntu Gutsy)	Undecided	Won't Fix
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	firefox (Ubuntu Hardy)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	seamonkey (Ubuntu Hardy)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	thunderbird (Ubuntu Hardy)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	xulrunner (Ubuntu Hardy)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	firefox (Ubuntu Intrepid)	Undecided	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	seamonkey (Ubuntu Intrepid)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	thunderbird (Ubuntu Intrepid)	Critical	Fix Released
218534	[Needs Packaging] JavaScript vulnerability in Firefox/Thunderbird/SeaMonkey/Xulrunner before 2.0.0.14/1.1.10/1.8.1.14	xulrunner (Ubuntu Intrepid)	Critical	Fix Released

Bug #254618: Please update xulrunner to 1.8.1.16 version.

Summary				In	Importance	Status
	254618	Please update xulrunner to 1.8.1.16 version.		xulrunner (Ubuntu)	High	Fix Released
	254618	Please update xulrunner to 1.8.1.16 version.		xulrunner (Ubuntu Hardy)	Undecided	Won't Fix

See the

CVE page on Mitre.org for more details.

References

CONFIRM: http://www.mozilla.org...
CONFIRM: http://www.mozilla.org...
CONFIRM: https://bugzilla.mozil...
CONFIRM: https://bugzilla.mozil...
CONFIRM: https://bugzilla.mozil...
UBUNTU: USN-619-1
BID: 30038
SECUNIA: 30911
CONFIRM: https://issues.rpath.c...
FEDORA: FEDORA-2008-6127
FEDORA: FEDORA-2008-6193
FEDORA: FEDORA-2008-6196
MANDRIVA: MDVSA-2008:136
REDHAT: RHSA-2008:0547
REDHAT: RHSA-2008:0549
REDHAT: RHSA-2008:0569
SUSE: SUSE-SA:2008:034
SECTRACK: 1020419
SECUNIA: 30878
SECUNIA: 30898
SECUNIA: 30903
SECUNIA: 30949
SECUNIA: 31005
SECUNIA: 31008
DEBIAN: DSA-1607
DEBIAN: DSA-1615
REDHAT: RHSA-2008:0616
SECUNIA: 31069
SECUNIA: 31023
SECUNIA: 31183
SECUNIA: 31195
GENTOO: GLSA-200808-03
SECUNIA: 31377
CONFIRM: http://wiki.rpath.com/...
SECUNIA: 31021
DEBIAN: DSA-1697
SECUNIA: 33433
SUNALERT: 256408
SECUNIA: 34501
VUPEN: ADV-2009-0977
VUPEN: ADV-2008-1993
SECUNIA: 31076
SLACKWARE: SSA:2008-191-03
SLACKWARE: SSA:2008-191
OVAL: oval:org.mitre.oval:de...
BUGTRAQ: 20080708 rPSA-2008-021...