CVE-2009-3376

Publication date 29 October 2009

Last updated 24 July 2024

Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
firefox-3.0	9.10 karmic	Not in release
	9.04 jaunty	Fixed 3.0.15+nobinonly-0ubuntu0.9.04.1
	8.10 intrepid	Fixed 3.0.15+nobinonly-0ubuntu0.8.10.1
	8.04 LTS hardy	Fixed 3.0.15+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
firefox-3.5	9.10 karmic	Fixed 3.5.4+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 3.5.4+nobinonly-0ubuntu0.9.04.1
	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release
thunderbird	9.10 karmic	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.9.04.1
	8.10 intrepid	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.8.10.1
	8.04 LTS hardy	Fixed 2.0.0.24+build1+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
xulrunner-1.9	9.10 karmic	Not in release
	9.04 jaunty	Fixed 1.9.0.15+nobinonly-0ubuntu0.9.04.1
	8.10 intrepid	Fixed 1.9.0.15+nobinonly-0ubuntu0.8.10.1
	8.04 LTS hardy	Fixed 1.9.0.15+nobinonly-0ubuntu0.8.04.1
	6.06 LTS dapper	Not in release
xulrunner-1.9.1	9.10 karmic	Fixed 1.9.1.4+nobinonly-0ubuntu0.9.10.1
	9.04 jaunty	Fixed 1.9.1.4+nobinonly-0ubuntu0.9.04.3
	8.10 intrepid	Not in release
	8.04 LTS hardy	Not in release
	6.06 LTS dapper	Not in release

References

Related Ubuntu Security Notices (USN)

USN-915-1
Thunderbird vulnerabilities
18 March 2010

USN-853-1
Firefox and Xulrunner vulnerabilities
31 October 2009

Other references

https://www.cve.org/CVERecord?id=CVE-2009-3376