Debian: New iceweasel packages fix several vulnerabilities

    Date24 Nov 2008
    CategoryDebian
    3857
    Posted ByLinuxSecurity Advisories
    Justin Schuh discovered that a buffer overflow in the http-index-format parser could lead to arbitrary code execution.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1671-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                       Moritz Muehlenhoff
    November 24, 2008                     http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : iceweasel
    Vulnerability  : several
    Problem type   : remote
    Debian-specific: no
    CVE ID         : CVE-2008-0017 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 CVE-2008-5023 CVE-2008-5024
    
    Several remote vulnerabilities have been discovered in the Iceweasel
    webbrowser, an unbranded version of the Firefox browser. The Common 
    Vulnerabilities and Exposures project identifies the following problems:
    
    CVE-2008-0017
       
       Justin Schuh discovered that a buffer overflow in the http-index-format
       parser could lead to arbitrary code execution.
    
    CVE-2008-4582
    
       Liu Die Yu discovered an information leak through local shortcut
       files.
    
    CVE-2008-5012
    
       Georgi Guninski, Michal Zalewski and Chris Evan discovered that
       the canvas element could be used to bypass same-origin
       restrictions.
    
    CVE-2008-5013
    
       It was discovered that insufficient checks in the Flash plugin glue
       code could lead to arbitrary code execution.
    
    CVE-2008-5014
    
       Jesse Ruderman discovered that a programming error in the
       window.__proto__.__proto__ object could lead to arbitrary code
       execution.
    
    CVE-2008-5017
    
       It was discovered that crashes in the layout engine could lead to
       arbitrary code execution.
    
    CVE-2008-5018
    
       It was discovered that crashes in the Javascript engine could lead to
       arbitrary code execution.
    
    CVE-2008-5021
    
       It was discovered that a crash in the nsFrameManager might lead to
       the execution of arbitrary code.
    
    CVE-2008-5022
    
       "moz_bug_r_a4" discovered that the same-origin check in
       nsXMLHttpRequest::NotifyEventListeners() could be bypassed.
    
    CVE-2008-5023
    
       Collin Jackson discovered that the -moz-binding property bypasses
       security checks on codebase principals.
    
    CVE-2008-5024
    
       Chris Evans discovered that quote characters were improperly
       escaped in the default namespace of E4X documents.
    
    For the stable distribution (etch), these problems have been fixed in
    version 2.0.0.18-0etch1.
    
    For the upcoming stable distribution (lenny) and the unstable distribution
    (sid), these problems have been fixed in version 3.0.4-1 of iceweasel 
    and version 1.9.0.4-1 of xulrunner. Packages for arm and mips will be
    provided soon.
    
    We recommend that you upgrade your iceweasel package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 4.0 alias etch
    - -------------------------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.diff.gz
        Size/MD5 checksum:   186777 18d2492164c72b846fab74bd75a69e1b
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18.orig.tar.gz
        Size/MD5 checksum: 47266681 ad1a208d95dedeafddbe7377de88d4d9
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.dsc
        Size/MD5 checksum:     1289 84983c4e7f053c1f0eb3ea3d154bc6ad
    
    Architecture independent packages:
    
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:    54478 73ed36d6990d6b86e8fccef00a9029b1
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:    54626 bcc4bd1443fe23e5311396949bac9f32
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:    54596 62200645f81cd0e505fd40382333d010
      http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:    54742 045a9714ca0a04061cee79bc16b4b940
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:    55274 09fdae147e16b09ad51544ab1fd218e6
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:   239810 beeee1e8cab02ec9a70d89df8db4610b
      http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.18-0etch1_all.deb
        Size/MD5 checksum:    54480 15636d866284ca7caf11bd939792df97
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_alpha.deb
        Size/MD5 checksum: 11587524 82c7dae5efa5f21333843c5204036f9d
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_alpha.deb
        Size/MD5 checksum: 51194740 8a6f236c8bef5e6b0b16df05a7fd866d
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_alpha.deb
        Size/MD5 checksum:    90332 8791b1fcc9a3bbfcaac993d65b1b77cd
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_amd64.deb
        Size/MD5 checksum:    88014 4e4a404cb859067e8804b793b06b1a5a
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_amd64.deb
        Size/MD5 checksum: 50189682 3fe64a570e13497a49ac77972ead0ac0
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_amd64.deb
        Size/MD5 checksum: 10213098 a38d4ae01ab60abab641411ee7aedba1
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_hppa.deb
        Size/MD5 checksum: 50566700 b1c063d6d40829a2301eecef32549f5e
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_hppa.deb
        Size/MD5 checksum:    89800 967a00e25f5584ba2790e6f00a716c4e
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_hppa.deb
        Size/MD5 checksum: 11119984 683938c6cedee58201ec5d9428360f6a
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_i386.deb
        Size/MD5 checksum:  9126828 d2dd8a62f98c9136bbce2c52919c637a
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_i386.deb
        Size/MD5 checksum:    82124 2d965fe0779f11d12157babf407a25a0
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_i386.deb
        Size/MD5 checksum: 49579624 c543f12165ffc2034cae25d36b258c83
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_ia64.deb
        Size/MD5 checksum: 14163520 5d3f1430543e78579bfa7aa390ac6d80
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_ia64.deb
        Size/MD5 checksum: 50533560 361db4abc1d5427fad23619ba2308286
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_ia64.deb
        Size/MD5 checksum:   100336 64b08280ff519215f2c6c77eb20ffed7
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_mipsel.deb
        Size/MD5 checksum: 52534114 eb211ddd6ef9fca7daa921913772a50a
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_mipsel.deb
        Size/MD5 checksum: 10768188 333f49d0aaea41be09d14dc518e9a215
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_mipsel.deb
        Size/MD5 checksum:    83286 e95b3453554c0b62411967cd8489595b
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_powerpc.deb
        Size/MD5 checksum:    83850 f58384f43ff563f835c0076959ef40b8
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_powerpc.deb
        Size/MD5 checksum: 51988102 3b89980f834495425e20a2b6f145339e
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_powerpc.deb
        Size/MD5 checksum:  9942022 b7be7ce0eec7a276351f6308a1a8c2ae
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_s390.deb
        Size/MD5 checksum: 50865174 5142df57b35fad2b1654ff9cae873a69
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_s390.deb
        Size/MD5 checksum: 10369888 0aa6fbd381a6259ff95d3257199ab372
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_s390.deb
        Size/MD5 checksum:    88268 5a027d5880f4499e399d75e9424c8ef2
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_sparc.deb
        Size/MD5 checksum: 49199006 210022771108894873f4f2becf3675b9
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_sparc.deb
        Size/MD5 checksum:    82072 2a76c78e38d756f2261da449f8215fe4
      http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_sparc.deb
        Size/MD5 checksum:  9205774 1a6ea528bb676aaaf88ad8d44f5d76c6
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":55.56,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.11,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.