Debian: DSA-2569-1: icedove security update

    Date29 Oct 2012
    CategoryDebian
    36
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in Icedove, Debian's version of the Mozilla Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2569-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                            Florian Weimer
    October 29, 2012                       http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : icedove
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2012-3982 CVE-2012-3986 CVE-2012-3990 CVE-2012-3991
        	         CVE-2012-4179 CVE-2012-4180 CVE-2012-4182 CVE-2012-4186
    		 CVE-2012-4188
    
    Multiple vulnerabilities have been discovered in Icedove, Debian's
    version of the Mozilla Thunderbird mail client.  The Common
    Vulnerabilities and Exposures project identifies the following
    problems:
    
    CVE-2012-3982
    	Multiple unspecified vulnerabilities in the browser engine
    	allow remote attackers to cause a denial of service (memory
    	corruption and application crash) or possibly execute
    	arbitrary code via unknown vectors.
    
    CVE-2012-3986
    	Icedove does not properly restrict calls to DOMWindowUtils
            methods, which allows remote attackers to bypass intended
            access restrictions via crafted JavaScript code.
    
    CVE-2012-3990
    	A Use-after-free vulnerability in the IME State Manager
    	implementation allows remote attackers to execute arbitrary
    	code via unspecified vectors, related to the
    	nsIContent::GetNameSpaceID function.
    
    CVE-2012-3991
    	Icedove does not properly restrict JSAPI access to the
    	GetProperty function, which allows remote attackers to bypass
    	the Same Origin Policy and possibly have unspecified other
    	impact via a crafted web site.
    
    CVE-2012-4179
    	A use-after-free vulnerability in the
    	nsHTMLCSSUtils::CreateCSSPropertyTxn function allows remote
    	attackers to execute arbitrary code or cause a denial of
    	service (heap memory corruption) via unspecified vectors.
    
    CVE-2012-4180
    	A heap-based buffer overflow in the
    	nsHTMLEditor::IsPrevCharInNodeWhitespace function allows
    	remote attackers to execute arbitrary code via unspecified
    	vectors.
    
    CVE-2012-4182
    	A use-after-free vulnerability in the
    	nsTextEditRules::WillInsert function allows remote attackers
    	to execute arbitrary code or cause a denial of service (heap
    	memory corruption) via unspecified vectors.
    
    CVE-2012-4186
    	A heap-based buffer overflow in the
    	nsWav-eReader::DecodeAudioData function allows remote attackers
    	to execute arbitrary code via unspecified vectors.
    
    CVE-2012-4188
    	A heap-based buffer overflow in the Convolve3x3 function
    	allows remote attackers to execute arbitrary code via
    	unspecified vectors.
    
    For the stable distribution (squeeze), these problems have been fixed
    in version 3.0.11-1+squeeze14.
    
    For the testing distribution (wheezy) and the unstable distribution
    (sid), these problems have been fixed in version 10.0.9-1.
    
    We recommend that you upgrade your icedove packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"7","type":"x","order":"1","pct":58.33,"resources":[]},{"id":"88","title":"Should be more technical","votes":"3","type":"x","order":"2","pct":25,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"2","type":"x","order":"3","pct":16.67,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.