CVE-2009-1307

Priority
Medium
Description
The view-source: URI implementation in Mozilla Firefox before 3.0.9,
Thunderbird, and SeaMonkey does not properly implement the Same Origin
Policy, which allows remote attackers to (1) bypass crossdomain.xml
restrictions and connect to arbitrary web sites via a Flash file; (2) read,
create, or modify Local Shared Objects via a Flash file; or (3) bypass
unspecified restrictions and render content via vectors involving a jar:
URI.
References
Notes
jdstrand> CVEs in Firefox are tracked in the xulrunner source packages. The
mapping of xulrunner sources to firefox is:
xulrunner (1.8.0): firefox (1.5) - Ubuntu 6.06 LTS
xulrunner (1.8.1): firefox (2.0) - Ubuntu 6.10 - 8.04 LTS
xulrunner-1.9: firefox-3.0
xulrunner-1.9.1: firefox-3.5
jdstrand: Ubuntu 6.06 LTS and 10.04 LTS uses the embedded xulrunner and not
the system xulrunner-1.9.2, so it is tracked in the firefox source package.
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (uses system xulrunner)
Ubuntu 10.04 LTS (Lucid Lynx):not-affected
Ubuntu 11.04 (Natty Narwhal):not-affected
Ubuntu 11.10 (Oneiric Ocelot):not-affected
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):released (1.1.17+nobinonly-0ubuntu0.8.04.1)
Ubuntu 10.04 LTS (Lucid Lynx):released (1.1.17+nobinonly-0ubuntu1)
Ubuntu 11.04 (Natty Narwhal):released (1.1.17+nobinonly-0ubuntu1)
Ubuntu 11.10 (Oneiric Ocelot):released (1.1.17+nobinonly-0ubuntu1)
Ubuntu 12.04 LTS (Precise Pangolin):released (1.1.17+nobinonly-0ubuntu1)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):released (2.0.0.22+build1+nobinonly-0ubuntu0.8.04.1)
Ubuntu 10.04 LTS (Lucid Lynx):released (2.0.0.22+build1+nobinonly-0ubuntu1.nspr474)
Ubuntu 11.04 (Natty Narwhal):released (2.0.0.22+build1+nobinonly-0ubuntu1.nspr474)
Ubuntu 11.10 (Oneiric Ocelot):released (2.0.0.22+build1+nobinonly-0ubuntu1.nspr474)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.0.0.22+build1+nobinonly-0ubuntu1.nspr474)
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):released (1.9.0.9+nobinonly-0ubuntu0.8.04.1)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):ignored (reached end-of-life)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
Package
Upstream:needs-triage
Ubuntu 8.04 LTS (Hardy Heron):DNE
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 11.04 (Natty Narwhal):DNE
Ubuntu 11.10 (Oneiric Ocelot):DNE
Ubuntu 12.04 LTS (Precise Pangolin):DNE
More Information

Valid XHTML 1.0 Strict

Updated: 2012-06-01 15:19:47 UTC (commit 5347)