<<< Date Index >>>     <<< Thread Index >>>

[SECURITY] [DSA 1621-1] New icedove packages fix several vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1621-1                  security@xxxxxxxxxx
http://www.debian.org/security/                       Moritz Muehlenhoff
July 27, 2008                         http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-0304 CVE-2008-2785 CVE-2008-2798 CVE-2008-2799 
CVE-2008-2802 CVE-2008-2803 CVE-2008-2807 CVE-2008-2809 CVE-2008-2811

Several remote vulnerabilities have been discovered in the Icedove
mail client, an unbranded version of the Thunderbird client. The Common
Vulnerabilities and Exposures project identifies the following
problems:

CVE-2008-0304

    It was discovered that a buffer overflow in MIME decoding can lead
    to the execution of arbitrary code.

CVE-2008-2785

    It was discovered that missing boundary checks on a reference
    counter for CSS objects can lead to the execution of arbitrary code.

CVE-2008-2798

    Devon Hubbard, Jesse Ruderman and Martijn Wargers discovered
    crashes in the layout engine, which might allow the execution of
    arbitrary code.

CVE-2008-2799

    Igor Bukanov, Jesse Ruderman and Gary Kwong discovered crashes in
    the Javascript engine, which might allow the execution of arbitrary code.

CVE-2008-2802

    "moz_bug_r_a4" discovered that XUL documements can escalate
    privileges by accessing the pre-compiled "fastload" file.

CVE-2008-2803

    "moz_bug_r_a4" discovered that missing input sanitising in the
    mozIJSSubScriptLoader.loadSubScript() function could lead to the
    execution of arbitrary code. Iceweasel itself is not affected, but
    some addons are.

CVE-2008-2807

    Daniel Glazman discovered that a programming error in the code for
    parsing .properties files could lead to memory content being
    exposed to addons, which could lead to information disclosure.

CVE-2008-2809

    John G. Myers, Frank Benkstein and Nils Toedtmann discovered that
    alternate names on self-signed certificates were handled
    insufficiently, which could lead to spoofings secure connections.

CVE-2008-2811

    Greg McManus discovered discovered a crash in the block reflow
    code, which might allow the execution of arbitrary code.

For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1. Packages for
s390 are not yet available and will be provided later.

For the unstable distribution (sid), these problems have been fixed in
version 2.0.0.16-1.

We recommend that you upgrade your icedove package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1.dsc
    Size/MD5 checksum:     1982 f3c2c78e178cc5d918727b6a9f4ca9fb
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d.orig.tar.gz
    Size/MD5 checksum: 34581452 4fb6289f43f89b04e5eda6844ae6c988
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1.diff.gz
    Size/MD5 checksum:   640682 66921d4b0aee62189770d0b1d9a27be3

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29552 463f08cd0992af2e5f5226983533ad1c
  
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29562 d19102f43c4938d796969c34952c0259
  
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29560 75f70ee24e4fc0a2573151f80545f523
  
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29546 afb54879e2c649e70328fe8096593197
  
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29560 004cb74dea9c951be193df990c49f4be
  
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29532 27605ca5220ba1fcc72392e6f1dc2387
  
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29556 8b55d0217a91ea8a4687f904ca799fa9
  
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29540 14fdb36a83b334276d25b72052d57508
  
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29538 34727cf9881337c6008ef858a694435c
  
http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_all.deb
    Size/MD5 checksum:    29518 943247aaa34c1ee99d978da3dd808a87

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_alpha.deb
    Size/MD5 checksum:   199850 4c11e28fd59e653b3eb658b61e2387f1
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_alpha.deb
    Size/MD5 checksum:  3961436 6ab569e6a44fdc98be141dfc28f5e514
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_alpha.deb
    Size/MD5 checksum: 13479948 e43c67c22b424d006b30f8177eff89da
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_alpha.deb
    Size/MD5 checksum: 52450056 38ad437d2112c5dc8b837fa29d3700a2
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_alpha.deb
    Size/MD5 checksum:    54012 66f8f15764fa5cfedc2e30067d90142c
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_alpha.deb
    Size/MD5 checksum:    64780 b76ba21a7891b910257aec92ff5f8ebe

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_amd64.deb
    Size/MD5 checksum:    62014 e7976085b2877a5aa0f67e2f39f13acf
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_amd64.deb
    Size/MD5 checksum: 51546632 f71a5976ecb276f9e7185d096ba571dc
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_amd64.deb
    Size/MD5 checksum:    53060 39ee5c0d7973a479e0fec5de206445ec
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_amd64.deb
    Size/MD5 checksum: 12188986 5b5a722c065939a30ace6c86e4902291
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_amd64.deb
    Size/MD5 checksum:  3681364 9c9e3f9b7e5aeb16219d3d637ea5a0b3
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_amd64.deb
    Size/MD5 checksum:   196636 80a17a741ff4e0a6fa84217c84832c90

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_arm.deb
    Size/MD5 checksum:   190508 b892bdbe503c1140b5ed96373764f315
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_arm.deb
    Size/MD5 checksum:  3925126 ca5c77ace501dc663abfa9a2581d0321
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_arm.deb
    Size/MD5 checksum:    47896 d623d4e1136ed42825e1cc35174b8f10
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_arm.deb
    Size/MD5 checksum: 10905516 9db335c210f30324296b88d3679db10a
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_arm.deb
    Size/MD5 checksum: 50902100 c0373e23fc224f274b9d9f0927ce6fc7
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_arm.deb
    Size/MD5 checksum:    59720 dba7b3f17729dda646170a579b6513db

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_hppa.deb
    Size/MD5 checksum: 13663278 fdca35ec0058f78e82d03788892902af
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_hppa.deb
    Size/MD5 checksum:  3958520 8ff63b8cfd865e22517ac167ae5722ee
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_hppa.deb
    Size/MD5 checksum: 52367754 3437b821482cf35a579d210a713008b5
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_hppa.deb
    Size/MD5 checksum:    53614 7b94d83de91fc8f186e0cd7bc7bad832
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_hppa.deb
    Size/MD5 checksum:   199870 9ff9dd34f19070f1bcca39c1b480047f
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_hppa.deb
    Size/MD5 checksum:    65800 14938ff602d4644553d24d099c969e4a

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_i386.deb
    Size/MD5 checksum:    48980 795870fd4758467f8e492140ac594ece
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_i386.deb
    Size/MD5 checksum:    59020 98e853ac8690f092f6487133a8204512
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_i386.deb
    Size/MD5 checksum:  3677854 2dfef77faa7628cc692bf541a0d22a78
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_i386.deb
    Size/MD5 checksum: 10916926 36349932631a29b67fe5fce24f9adf6a
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_i386.deb
    Size/MD5 checksum: 50802416 b37577565030cf995e473b0d3e20792c
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_i386.deb
    Size/MD5 checksum:   191610 e59fad8c9711e5accf576c1f841989a7

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_ia64.deb
    Size/MD5 checksum:   205674 539dc88338b19d01637ec3afbd4fde20
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_ia64.deb
    Size/MD5 checksum: 16573824 00750603608ecb0d33350c7b04d1238a
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_ia64.deb
    Size/MD5 checksum:  3730216 79018f5828e4965b7323b8e632d0be83
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_ia64.deb
    Size/MD5 checksum: 51844298 1466152deb275dd5582f6a905489c3f2
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_ia64.deb
    Size/MD5 checksum:    75038 23a5cdf5762bb0dbef4a00ce4d0473d7
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_ia64.deb
    Size/MD5 checksum:    60392 4be2576cda9e1f5c828f5da7b4f8f9d1

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mips.deb
    Size/MD5 checksum:  3950320 f0ab200f288ab06ca52fa3717d91ebc6
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mips.deb
    Size/MD5 checksum: 11620928 fdd43e5db08db0d202f0ad47ac1219d2
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mips.deb
    Size/MD5 checksum:   193508 9187a8e2616da652b8a75d549c3bd077
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mips.deb
    Size/MD5 checksum:    48738 0b51bfd611db7d28eeda296967b54483
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mips.deb
    Size/MD5 checksum:    59216 b48b446110f5d48df4b7f99ff77fc337
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mips.deb
    Size/MD5 checksum: 53174806 f37efd01e3733135acb4a0a90a4e223f

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mipsel.deb
    Size/MD5 checksum: 51738000 11a6dc26b73f4e2b3aa7060e3b5d864d
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mipsel.deb
    Size/MD5 checksum:   192936 36f6670e7045beae00ade70e9f71ce3d
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mipsel.deb
    Size/MD5 checksum: 11368146 d7fbd31e25b50de4c6daf5f28a95d5f5
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mipsel.deb
    Size/MD5 checksum:    59606 2a552e82279ecf9f291341dcf37a6228
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mipsel.deb
    Size/MD5 checksum:    49918 ca4d8ba417208cfe7bca37b30dd4c625
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_mipsel.deb
    Size/MD5 checksum:  3685232 135701696c633f2171591b38406f0e32

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_powerpc.deb
    Size/MD5 checksum:   193688 344e8c0d6c9b69c5377c5521e994ceff
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_powerpc.deb
    Size/MD5 checksum: 11818840 bd2c329c7ad8895f1adbc5da401a0cdb
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_powerpc.deb
    Size/MD5 checksum:  3680394 373f1fc16a30ac3fc206e134d2f874b2
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_powerpc.deb
    Size/MD5 checksum:    50538 c48cda9801366960ebe3a51568adb177
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_powerpc.deb
    Size/MD5 checksum: 53345336 845557409c6f0a88bebddc1d5f69c77a
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_powerpc.deb
    Size/MD5 checksum:    61378 63e5f8580b9e72d5ac6af1125791bca5

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_sparc.deb
    Size/MD5 checksum: 50694834 44c3b9706f65e089c4e1ae836471c674
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_sparc.deb
    Size/MD5 checksum:    59040 33096f950a885fe57779db8d7838faae
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_sparc.deb
    Size/MD5 checksum:  3675032 1f82018e9aa522b5bc6585e42ad98cac
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_sparc.deb
    Size/MD5 checksum:    49044 70d8353f8fc8a6b3d7ec415870c227e6
  
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_sparc.deb
    Size/MD5 checksum: 11125910 4def9751172a0041a02e135bf8fa3184
  
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614d-0etch1_sparc.deb
    Size/MD5 checksum:   191136 26ba8ae4cebcc84756f36817a67c2e2b


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkiM6qkACgkQXm3vHE4uylrLBgCeIrxfVjWZ+qFWfMCFYWLtV/kK
eGcAn1OnHqrZkT2n7ea/BJS384iqBnXS
=/r7q
-----END PGP SIGNATURE-----