<<< Date Index >>>     <<< Thread Index >>>

[SECURITY] [DSA 1391-1] New icedove packages fix several vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1391-1                    security@xxxxxxxxxx
http://www.debian.org/security/                         Moritz Muehlenhoff
October 19th, 2007                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2007-3734 CVE-2007-3735 CVE-2007-3844 CVE-2007-3845 
CVE-2007-5339 CVE-2007-5340

Several remote vulnerabilities have been discovered in the Icedove mail client,
an unbranded version of the Thunderbird client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2007-3734

    Bernd Mielke, Boris Zbarsky, David Baron, Daniel Veditz, Jesse Ruderman,
    Lukas Loehrer, Martijn Wargers, Mats Palmgren, Olli Pettay, Paul
    Nickerson and Vladimir Sukhoy discovered crashes in the layout engine,
    which might allow the execution of arbitrary code.

CVE-2007-3735

    Asaf Romano, Jesse Ruderman and Igor Bukanov discovered crashes in the
    javascript engine, which might allow the execution of arbitrary code.

CVE-2007-3844

    "moz_bug_r_a4" discovered that a regression in the handling of
    "about:blank" windows used by addons may lead to an attacker being
    able to modify the content of web sites.

CVE-2007-3845

    Jesper Johansson discovered that missing sanitising of double-quotes
    and spaces in URIs passed to external programs may allow an attacker
    to pass arbitrary arguments to the helper program if the user is
    tricked into opening a malformed web page.

CVE-2007-5339
 
    L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay,
    Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers 
discovered
    crashes in the layout engine, which might allow the execution of arbitrary 
code.

CVE-2007-5340

    Igor Bukanov, Eli Friedman, and Jesse Ruderman discovered crashes in the
    Javascript engine, which might allow the execution of arbitrary code. 
Generally,
    enabling Javascript in Icedove is not recommended.

The Mozilla products in the oldstable distribution (sarge) are no longer
supported with security updates.

For the stable distribution (etch) these problems have been fixed in version
1.5.0.13+1.5.0.14b.dfsg1-0etch1. Builds for hppa will be provided later.

The unstable distribution (sid) will be fixed soon.

We recommend that you upgrade your icedove packages.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

  Source archives:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1.dsc
      Size/MD5 checksum:     1934 5037f765746ad92c73e0e95ab4988272
    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1.diff.gz
      Size/MD5 checksum:   639834 43c96d5fcdf34ebb5c069dc4378a965b
    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1.orig.tar.gz
      Size/MD5 checksum: 34229032 9cc1dca6142d6b1044e78026b53968c1

  Architecture independent components:

    
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28682 b7f1a7e3ea1149a9767539be1c19acbb
    
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28694 53bb2afe9384039094219bb14da3727a
    
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28698 6df3bdfb10692d1057b64c49c8f93a5a
    
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28670 7d12e5160a91e489bc481c5a05024776
    
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28668 d0a07a5a35dda48ed3a521596ec3b620
    
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28674 96dc6c4e9629612f7f7fa5ba8276bb4e
    
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28684 2195e5213a818c01569199922f943178
    
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28678 eadcb03b9cf28fdad9e0555e83c697a6
    
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28696 b0c1366f5a530674ec66b578db206bde
    
http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.14b.dfsg1-0etch1_all.deb
      Size/MD5 checksum:    28654 2090a750ed666d208905b82d684668d3

  Alpha architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum: 13477820 f3a6a6e49d63ff96469075b51ec00e53
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum: 52380964 ba66fa325d9ee5a81a41bf475c4dca6e
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:  3958088 b590d691047b14234e06d86b2d499b8b
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:    52226 f87b9fc43fe204e7601f04af40f74a65
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:   200550 4efd9b2fac6f4ded2b6a77ef4c836508
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_alpha.deb
      Size/MD5 checksum:    64440 fac79a2479f022d8360f4546f3eee0c2

  AMD64 architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum: 12169764 dfc903a949bba53bd63f40fdc184e8e3
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum: 51475050 acef2a67aed70c9600d94b57863b77b7
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:  3676870 e76acc39db8446c406acca7887be7f43
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:    52070 4da21cca0d9fcb2194c0c87af58a0a47
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:   195718 24993c2fe872d47802ffb85aa216c3c1
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_amd64.deb
      Size/MD5 checksum:    61152 daeca534072d6b581b8dda7157944925

  ARM architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb
      Size/MD5 checksum: 10887054 e17f25f197173789364e181a6cd23f61
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb
      Size/MD5 checksum: 50827196 5d86bfb3dcebd97ac8182e0e3f95d1e2
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:  3919820 d442262ccc5a44cbcd7a5f64fe8eb37b
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:    47176 64c99299d7fc3a683b421a8dc5d1f02a
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:   189960 b83f0f0fc068e98964629cc9e5abe4ec
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_arm.deb
      Size/MD5 checksum:    58784 3dbf10421174d1ca69ac3ff1dc792913

  Intel IA-32 architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb
      Size/MD5 checksum: 10907250 1199372b7db30d88866d8593ab623fa4
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb
      Size/MD5 checksum: 50727826 05b724998e5ad5ab979f1f617133677f
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:  3673196 0081310d1c9e694b66e76d61c1991ba9
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:    47998 fecad4abe4563d7ef3cb1241237cc48f
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:   190752 a04352a82bdd8b1e44d893e52e2c8f78
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_i386.deb
      Size/MD5 checksum:    58096 605dadf61f57c94fe3ecfe64f61a60e2

  Intel IA-64 architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum: 16549542 192455836f9d3eb042f31a764e26cabf
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum: 51779230 f6bb62bfefa37428bc974296aefe71af
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:  3725888 6f3ce218d453889fe559279eefb04f0c
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:    59474 fabb1f94e5f63a0e104c011ac69d48a1
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:   204796 a5ecb32106350803a9484be3518d370f
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_ia64.deb
      Size/MD5 checksum:    74168 827a5b641d4636b9ec0989bc00696f12

  Big endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb
      Size/MD5 checksum: 11578122 8ff9399d2ee8a78a08e92e9df127ba9e
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb
      Size/MD5 checksum: 53098688 857aa81aa88e57b008d79968ac485be5
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:  3681558 801a505ed2047dc3529f2f0892970b12
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:    49180 70feb0d4c30be9021fad80326e508d70
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:   192564 8cc78754e7b0e1a8f3719ede7b3b5fd9
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mips.deb
      Size/MD5 checksum:    58626 4a17a19e3566abd93b03c42d57e11373

  Little endian MIPS architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum: 11357332 f2ce1e851f2901f347e36c911b34f0bd
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum: 51668660 52e861adbf9db87800e72fba8927be4a
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:  3681328 38cb9f4e2bec05c0d4d87bc0a37c8227
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:    49046 a81ede66fa203d422cab4229f41d4acf
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:   192066 14bd132627dda77ebd51c35a16ba4177
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_mipsel.deb
      Size/MD5 checksum:    58692 462392c1a31cb10c369113aa8e9ed2b4

  PowerPC architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum: 11802298 e2a2e2a68725e9199bb6577cf1915c2d
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum: 53275990 28257c9a2f527a42fd13af8d1374b326
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:  3676086 8b102b424b32292623e4d6fb58bd22d5
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:    49662 671b9ef6d16dad0e5c78fe1179ccfb03
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:   192760 3647291657831f9e7521042f45c0a21e
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_powerpc.deb
      Size/MD5 checksum:    60496 e3db6721e38912f876f9d8a659180c98

  IBM S/390 architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb
      Size/MD5 checksum: 12828684 668ac711c1a1e799aec0d67cc4c67b98
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb
      Size/MD5 checksum: 52146038 805635d08025fefeab7d1c25ff635181
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:  3679950 02543a6b8725e78b7a5feaa8bf0d9811
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:    52698 032c290706967610dcf2f453e58168ac
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:   197474 fdafe757e29a035228b975a01245bcaf
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_s390.deb
      Size/MD5 checksum:    62246 29e686985a17d0815df3f8ff78673e1a

  Sun Sparc architecture:

    
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum: 11112636 6db1588af2492a6858b864d7c48ea6cd
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum: 50625596 d312e6e9c3281a3f6afa2ec8d36a5fac
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:  3669498 8fb7f294f0605a6350d1389c2ca0a672
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:    48158 99b3bc04292ba6c173f44342e8c75f00
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:   190272 d6d20cf4bf48f0d446d14c4df31f70bb
    
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.14b.dfsg1-0etch1_sparc.deb
      Size/MD5 checksum:    58184 d5c1f9f6d261da2eb051e5acecef6818


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHGNMHXm3vHE4uyloRAlPxAKCzC297IIqGthDyHsVppj3ExXcDqACfV7ku
qkbOGWZJf7x2q0b1+SGLjJw=
=yjIf
-----END PGP SIGNATURE-----