Debian: New iceweasel packages fix several vulnerabilities

    Date08 Oct 2008
    CategoryDebian
    3791
    Posted ByLinuxSecurity Advisories
    Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1649-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                       Moritz Muehlenhoff
    October 08, 2008                      http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : iceweasel
    Vulnerability  : several
    Problem-Type   : remote
    Debian-specific: no
    CVE ID         : CVE-2008-0016 CVE-2008-3835 CVE-2008-3836 CVE-2008-3837 CVE-2008-4058 CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4066 CVE-2008-4067 CVE-2008-4068 CVE-2008-4069
    
    Several remote vulnerabilities have been discovered in the Iceweasel web
    browser, an unbranded version of the Firefox browser. The Common
    Vulnerabilities and Exposures project identifies the following problems:
     
    CVE-2008-0016
    
       Justin Schuh, Tom Cross and Peter Williams discovered a buffer
       overflow in the parser for UTF-8 URLs, which may lead to the
       execution of arbitrary code.
    
    CVE-2008-3835
    
       "moz_bug_r_a4" discovered that the same-origin check in
       nsXMLDocument::OnChannelRedirect() could by bypassed.
    
    CVE-2008-3836
    
       "moz_bug_r_a4" discovered that several vulnerabilities in
       feedWriter could lead to Chrome privilege escalation.
    
    CVE-2008-3837
    
       Paul Nickerson discovered that an attacker could move windows
       during a mouse click, resulting in unwanted action triggered by
       drag-and-drop.
    
    CVE-2008-4058
    
       "moz_bug_r_a4" discovered a vulnerability which can result in
       Chrome privilege escalation through XPCNativeWrappers.
    
    CVE-2008-4059
    
       "moz_bug_r_a4" discovered a vulnerability which can result in
       Chrome privilege escalation through XPCNativeWrappers.
    
    CVE-2008-4060
    
       Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege
       escalation vulnerability in XSLT handling.
    
    CVE-2008-4061
    
       Jesse Ruderman discovered a crash in the layout engine, which might
       allow the execution of arbitrary code.
    
    CVE-2008-4062
    
       Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour
       discovered crashes in the Javascript engine, which might allow the
       execution of arbitrary code.
    
    CVE-2008-4065
    
       Dave Reed discovered that some Unicode byte order marks are
       stripped from Javascript code before execution, which can result in
       code being executed, which were otherwise part of a quoted string.
    
    CVE-2008-4066
    
       Gareth Heyes discovered that some Unicode surrogate characters are
       ignored by the HTML parser.
    
    CVE-2008-4067
    
       Boris Zbarsky discovered that resource: URls allow directory
       traversal when using URL-encoded slashes.
    
    CVE-2008-4068
    
       Georgi Guninski discovered that resource: URLs could bypass local
       access restrictions.
    
    CVE-2008-4069
    
       Billy Hoffman discovered that the XBM decoder could reveal
       uninitialised memory.
    
    For the stable distribution (etch), these problems have been fixed in
    version 2.0.0.17-0etch1. Packages for hppa will be provided later.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 3.0.3 of iceweasel and 1.9.0.3-1 of xulrunner.
    
    We recommend that you upgrade your iceweasel package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Stable updates are available for alpha, amd64, arm, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17.orig.tar.gz
        Size/MD5 checksum: 47264462 caa85228cc0f4d309e85d6991cb95305
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1.dsc
        Size/MD5 checksum:     1289 84dfa301f786f84a1d64baf4ed3db782
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1.diff.gz
        Size/MD5 checksum:   186694 8e6e9a55fde52af390122189070fca57
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:    54634 b2fd3414c31cebfcf9a1433dcc1d2e93
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:    54530 fc5fb66d2eaf4027d945dd0a28b2d846
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:    54384 21762949b8e2fd39ac79476fa24b03d1
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:    54384 9df9c09b5351c290fee72c24b47a331d
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:   239720 644c28cc69b5ffa408b0c57b92152ec3
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:    55170 5d191251cab8743fdd8537c757e39abc
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.17-0etch1_all.deb
        Size/MD5 checksum:    54494 bf8060f4a48856e3221988210417ebd6
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_alpha.deb
        Size/MD5 checksum: 11578586 a8c71f32151faca4674a1a09e3b66545
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_alpha.deb
        Size/MD5 checksum: 51173558 6361a1e6926eb32d5ede6c74671d86f1
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_alpha.deb
        Size/MD5 checksum:    90252 569480998f4eac60ba8c0f6e62cb275e
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_amd64.deb
        Size/MD5 checksum:    87924 70015d9a4e458e26ff6b65a2674ff56a
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_amd64.deb
        Size/MD5 checksum: 10206146 ec62c84f919bda242b9d65390d9143be
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_amd64.deb
        Size/MD5 checksum: 50165526 8b083d926eb7e6da63c0be882af1642f
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_arm.deb
        Size/MD5 checksum: 49257448 89f6c8c0b51255038eee5d13416fcadb
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_arm.deb
        Size/MD5 checksum:    81618 59dba0eee92b991d069f883c19680d75
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_arm.deb
        Size/MD5 checksum:  9256358 4fd0774c50d76457152d406ed19ea367
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_i386.deb
        Size/MD5 checksum: 49570130 6a6b0cb233e73d4baef8ddbd33029b98
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_i386.deb
        Size/MD5 checksum:    82056 91a67db26a7c51ae185d39dedaaf94cb
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_i386.deb
        Size/MD5 checksum:  9122164 5b4e1dfeb171be9542572fc9e490b818
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_ia64.deb
        Size/MD5 checksum: 14156490 2607bd2156b38eebeb2ecdde49acea53
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_ia64.deb
        Size/MD5 checksum:   100252 1e28dda1215d01e2cfe35403a52a0fcc
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_ia64.deb
        Size/MD5 checksum: 50513628 0db2edd5ef28c04f8c1d5331e92e100d
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_mips.deb
        Size/MD5 checksum: 11063822 d78bb2a163ec303a618ea88e005f0116
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_mips.deb
        Size/MD5 checksum:    83196 ef3e17948ca57bebb18890d5ce89e0f8
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_mips.deb
        Size/MD5 checksum: 53969964 f42e61e36c60c76b24e1bf34600479da
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_mipsel.deb
        Size/MD5 checksum:    83224 be3cb4e303ad8544dd274447451228c6
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_mipsel.deb
        Size/MD5 checksum: 10761380 077af6ef650d85ed023acb5d936318c3
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_mipsel.deb
        Size/MD5 checksum: 52518328 de36b16feb4052325ed975d9d75a6625
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_powerpc.deb
        Size/MD5 checksum:  9937490 9ef7bdd022ec317efaefbfcd5e0b0aa0
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_powerpc.deb
        Size/MD5 checksum: 51973444 ee5cb6165d1cda06c158df93f393b833
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_powerpc.deb
        Size/MD5 checksum:    83786 56ad8684dc229e605f7285e48bb10389
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_s390.deb
        Size/MD5 checksum: 10366602 06f0cc6f4fab228756f7b088eee305d3
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_s390.deb
        Size/MD5 checksum: 50839114 fa42c55974b0beece5184341e5ca4340
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_s390.deb
        Size/MD5 checksum:    88198 6ebd745cc96c2c6c80cb7f2987138364
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.17-0etch1_sparc.deb
        Size/MD5 checksum: 49179416 00c2781b99157e0f0970b01d1d2e70ed
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.17-0etch1_sparc.deb
        Size/MD5 checksum:    82000 e74866cfbd6a70b1e7e7b5eb737dc8a8
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.17-0etch1_sparc.deb
        Size/MD5 checksum:  9199076 95cacd55b0dc6415d62f30394517048a
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":53.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":15.38,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"8","type":"x","order":"3","pct":30.77,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.