<<< Date Index >>>     <<< Thread Index >>>

[SECURITY] [DSA 1671-1] New iceweasel packages fix several vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-1671-1                  security@xxxxxxxxxx
http://www.debian.org/security/                       Moritz Muehlenhoff
November 24, 2008                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : iceweasel
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-0017 CVE-2008-4582 CVE-2008-5012 CVE-2008-5013 
CVE-2008-5014 CVE-2008-5017 CVE-2008-5018 CVE-2008-5021 CVE-2008-5022 
CVE-2008-5023 CVE-2008-5024

Several remote vulnerabilities have been discovered in the Iceweasel
webbrowser, an unbranded version of the Firefox browser. The Common 
Vulnerabilities and Exposures project identifies the following problems:

CVE-2008-0017
   
   Justin Schuh discovered that a buffer overflow in the http-index-format
   parser could lead to arbitrary code execution.

CVE-2008-4582

   Liu Die Yu discovered an information leak through local shortcut
   files.

CVE-2008-5012

   Georgi Guninski, Michal Zalewski and Chris Evan discovered that
   the canvas element could be used to bypass same-origin
   restrictions.

CVE-2008-5013

   It was discovered that insufficient checks in the Flash plugin glue
   code could lead to arbitrary code execution.

CVE-2008-5014

   Jesse Ruderman discovered that a programming error in the
   window.__proto__.__proto__ object could lead to arbitrary code
   execution.

CVE-2008-5017

   It was discovered that crashes in the layout engine could lead to
   arbitrary code execution.

CVE-2008-5018

   It was discovered that crashes in the Javascript engine could lead to
   arbitrary code execution.

CVE-2008-5021

   It was discovered that a crash in the nsFrameManager might lead to
   the execution of arbitrary code.

CVE-2008-5022

   "moz_bug_r_a4" discovered that the same-origin check in
   nsXMLHttpRequest::NotifyEventListeners() could be bypassed.

CVE-2008-5023

   Collin Jackson discovered that the -moz-binding property bypasses
   security checks on codebase principals.

CVE-2008-5024

   Chris Evans discovered that quote characters were improperly
   escaped in the default namespace of E4X documents.

For the stable distribution (etch), these problems have been fixed in
version 2.0.0.18-0etch1.

For the upcoming stable distribution (lenny) and the unstable distribution
(sid), these problems have been fixed in version 3.0.4-1 of iceweasel 
and version 1.9.0.4-1 of xulrunner. Packages for arm and mips will be
provided soon.

We recommend that you upgrade your iceweasel package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.diff.gz
    Size/MD5 checksum:   186777 18d2492164c72b846fab74bd75a69e1b
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18.orig.tar.gz
    Size/MD5 checksum: 47266681 ad1a208d95dedeafddbe7377de88d4d9
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1.dsc
    Size/MD5 checksum:     1289 84983c4e7f053c1f0eb3ea3d154bc6ad

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:    54478 73ed36d6990d6b86e8fccef00a9029b1
  
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:    54626 bcc4bd1443fe23e5311396949bac9f32
  
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:    54596 62200645f81cd0e505fd40382333d010
  
http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:    54742 045a9714ca0a04061cee79bc16b4b940
  
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:    55274 09fdae147e16b09ad51544ab1fd218e6
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:   239810 beeee1e8cab02ec9a70d89df8db4610b
  
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.18-0etch1_all.deb
    Size/MD5 checksum:    54480 15636d866284ca7caf11bd939792df97

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_alpha.deb
    Size/MD5 checksum: 11587524 82c7dae5efa5f21333843c5204036f9d
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_alpha.deb
    Size/MD5 checksum: 51194740 8a6f236c8bef5e6b0b16df05a7fd866d
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_alpha.deb
    Size/MD5 checksum:    90332 8791b1fcc9a3bbfcaac993d65b1b77cd

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_amd64.deb
    Size/MD5 checksum:    88014 4e4a404cb859067e8804b793b06b1a5a
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_amd64.deb
    Size/MD5 checksum: 50189682 3fe64a570e13497a49ac77972ead0ac0
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_amd64.deb
    Size/MD5 checksum: 10213098 a38d4ae01ab60abab641411ee7aedba1

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_hppa.deb
    Size/MD5 checksum: 50566700 b1c063d6d40829a2301eecef32549f5e
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_hppa.deb
    Size/MD5 checksum:    89800 967a00e25f5584ba2790e6f00a716c4e
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_hppa.deb
    Size/MD5 checksum: 11119984 683938c6cedee58201ec5d9428360f6a

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_i386.deb
    Size/MD5 checksum:  9126828 d2dd8a62f98c9136bbce2c52919c637a
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_i386.deb
    Size/MD5 checksum:    82124 2d965fe0779f11d12157babf407a25a0
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_i386.deb
    Size/MD5 checksum: 49579624 c543f12165ffc2034cae25d36b258c83

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_ia64.deb
    Size/MD5 checksum: 14163520 5d3f1430543e78579bfa7aa390ac6d80
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_ia64.deb
    Size/MD5 checksum: 50533560 361db4abc1d5427fad23619ba2308286
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_ia64.deb
    Size/MD5 checksum:   100336 64b08280ff519215f2c6c77eb20ffed7

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_mipsel.deb
    Size/MD5 checksum: 52534114 eb211ddd6ef9fca7daa921913772a50a
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_mipsel.deb
    Size/MD5 checksum: 10768188 333f49d0aaea41be09d14dc518e9a215
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_mipsel.deb
    Size/MD5 checksum:    83286 e95b3453554c0b62411967cd8489595b

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_powerpc.deb
    Size/MD5 checksum:    83850 f58384f43ff563f835c0076959ef40b8
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_powerpc.deb
    Size/MD5 checksum: 51988102 3b89980f834495425e20a2b6f145339e
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_powerpc.deb
    Size/MD5 checksum:  9942022 b7be7ce0eec7a276351f6308a1a8c2ae

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_s390.deb
    Size/MD5 checksum: 50865174 5142df57b35fad2b1654ff9cae873a69
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_s390.deb
    Size/MD5 checksum: 10369888 0aa6fbd381a6259ff95d3257199ab372
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_s390.deb
    Size/MD5 checksum:    88268 5a027d5880f4499e399d75e9424c8ef2

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.18-0etch1_sparc.deb
    Size/MD5 checksum: 49199006 210022771108894873f4f2becf3675b9
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.18-0etch1_sparc.deb
    Size/MD5 checksum:    82072 2a76c78e38d756f2261da449f8215fe4
  
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.18-0etch1_sparc.deb
    Size/MD5 checksum:  9205774 1a6ea528bb676aaaf88ad8d44f5d76c6


  These files will probably be moved into the stable distribution on
  its next update.

- 
---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkrHh8ACgkQXm3vHE4uylqJuACglVp2aQGEogNf+7f9N4SiQ2WW
scMAniegT014yaL2VX52gL03PFlHJWxy
=83ia
-----END PGP SIGNATURE-----