Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Security Week: March 30th, 2015
Linux Advisory Watch: March 27th, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Debian: New icedove packages fix several vulnerabilities Print E-mail
User Rating:      How can I rate this item?
Posted by Benjamin D. Thomas   
Debian Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird mail client.
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1696-1                                   Steffen Joeris
January 07, 2009            
- ------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several vulnerabilities
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2008-0016 CVE-2008-1380 CVE-2008-3835 CVE-2008-4058
CVE-2008-4059 CVE-2008-4060 CVE-2008-4061 CVE-2008-4062 CVE-2008-4065 CVE-2008-4067
CVE-2008-4068 CVE-2008-4070 CVE-2008-5012 CVE-2008-5014 CVE-2008-5017 CVE-2008-5018
CVE-2008-5021 CVE-2008-5022 CVE-2008-5024 CVE-2008-5500 CVE-2008-5503 CVE-2008-5506
CVE-2008-5507 CVE-2008-5508 CVE-2008-5511 CVE-2008-5512

Several remote vulnerabilities have been discovered in the Icedove
mail client, an unbranded version of the Thunderbird mail client. The
Common Vulnerabilities and Exposures project identifies the following


   Justin Schuh, Tom Cross and Peter Williams discovered a buffer
   overflow in the parser for UTF-8 URLs, which may lead to the execution
   of arbitrary code. (MFSA 2008-37)


   It was discovered that crashes in the Javascript engine could
   potentially lead to the execution of arbitrary code. (MFSA 2008-20)  


   "moz_bug_r_a4" discovered that the same-origin check in
   nsXMLDocument::OnChannelRedirect() could be bypassed. (MFSA 2008-38)


   "moz_bug_r_a4" discovered a vulnerability which can result in
   Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41)


   "moz_bug_r_a4" discovered a vulnerability which can result in
   Chrome privilege escalation through XPCNativeWrappers. (MFSA 2008-41)


   Olli Pettay and "moz_bug_r_a4" discovered a Chrome privilege
   escalation vulnerability in XSLT handling. (MFSA 2008-41)


   Jesse Ruderman discovered a crash in the layout engine, which might
   allow the execution of arbitrary code. (MFSA 2008-42)


   Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine Labour
   discovered crashes in the Javascript engine, which might allow the
   execution of arbitrary code. (MFSA 2008-42)


   Dave Reed discovered that some Unicode byte order marks are
   stripped from Javascript code before execution, which can result in
   code being executed, which were otherwise part of a quoted string.
   (MFSA 2008-43)


   It was discovered that a directory traversal allows attackers to
   read arbitrary files via a certain characters. (MFSA 2008-44)


   It was discovered that a directory traversal allows attackers to
   bypass security restrictions and obtain sensitive information.
   (MFSA 2008-44)


   It was discovered that a buffer overflow could be triggered via a
   long header in a news article, which could lead to arbitrary code
   execution. (MFSA 2008-46)


   Liu Die Yu and Boris Zbarsky discovered an information leak through
   local shortcut files. (MFSA 2008-47 MFSA 2008-59)


   Georgi Guninski, Michal Zalewski and Chris Evan discovered that
   the canvas element could be used to bypass same-origin
   restrictions. (MFSA 2008-48)


   Jesse Ruderman discovered that a programming error in the
   window.__proto__.__proto__ object could lead to arbitrary code
   execution. (MFSA 2008-50)


   It was discovered that crashes in the layout engine could lead to
   arbitrary code execution. (MFSA 2008-52)


   It was discovered that crashes in the Javascript engine could lead to
   arbitrary code execution. (MFSA 2008-52)


   It was discovered that a crash in the nsFrameManager might lead to
   the execution of arbitrary code. (MFSA 2008-55)


   "moz_bug_r_a4" discovered that the same-origin check in
   nsXMLHttpRequest::NotifyEventListeners() could be bypassed.
   (MFSA 2008-56)


   Chris Evans discovered that quote characters were improperly
   escaped in the default namespace of E4X documents. (MFSA 2008-58)


   Jesse Ruderman  discovered that the layout engine is vulnerable to
   DoS attacks that might trigger memory corruption and an integer
   overflow. (MFSA 2008-60)


   Boris Zbarsky discovered that an information disclosure attack could
   be performed via XBL bindings. (MFSA 2008-61)


   Marius Schilder discovered that it is possible to obtain sensible
   data via a XMLHttpRequest. (MFSA 2008-64)


   Chris Evans discovered that it is possible to obtain sensible data
   via a JavaScript URL. (MFSA 2008-65)


   Chip Salzenberg discovered possible phishing attacks via URLs with
   leading whitespaces or control characters. (MFSA 2008-66)


   It was discovered that it is possible to perform cross-site scripting
   attacks via an XBL binding to an "unloaded document." (MFSA 2008-68)


   It was discovered that it is possible to run arbitrary JavaScript
   with chrome privileges via unknown vectors. (MFSA 2008-68)

For the stable distribution (etch) these problems have been fixed in
version Packages for
s390 will be provided later.

For the upcoming stable distribution (lenny) these problems will be
fixed soon.

For the unstable (sid) distribution these problems have been fixed in

We recommend that you upgrade your icedove packages.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 4.0 alias etch
- -------------------------------

Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc and sparc.

Source archives:
    Size/MD5 checksum:   632912 934c1af8ef52f687bd76100e038f031e
    Size/MD5 checksum: 35464904 bc7d4a8ac66249e890cc6b8053e1c403
    Size/MD5 checksum:     1352 50f9d989748dcdc3b4fbe3dfe5c511e0

Architecture independent packages:
    Size/MD5 checksum:    30358 bda7c5e419dc5d8a9bce681f985b7b54
    Size/MD5 checksum:    30344 440f59303f23a8b51555ec44536bc610
    Size/MD5 checksum:    30344 85cca8031c7e802bbe8da34c57f4f49e
    Size/MD5 checksum:    30332 1d7b977f1f636a6119fecbaa5209b123
    Size/MD5 checksum:    30352 ac038bd3bfa58b2bd8de442a71e6e244
    Size/MD5 checksum:    30352 43ad195fe32dc2fb2e94513fbf91a77c
    Size/MD5 checksum:    30312 cbe2956ce57f0d8c4c8ff97ab3e2b73e
    Size/MD5 checksum:    30324 6a39034c09e4126bb21cdc23c2487939
    Size/MD5 checksum:    30330 a16f184ecc39515f32fa6083b617641b
    Size/MD5 checksum:    30338 242b59c55d9dee9589bb59fbd6658dc6

alpha architecture (DEC Alpha)
    Size/MD5 checksum:  3962856 19a9dc3a453f2ca162e6e5bba2c689b6
    Size/MD5 checksum: 13483784 7fcca7955d98bb3a15f6ec99d6639771
    Size/MD5 checksum:   200634 057601dd1afc618d5f13e42c085f86c5
    Size/MD5 checksum:    54840 c88c725218fc24b4a0b3190af5ac5a65
    Size/MD5 checksum:    65550 40bedd8656c7957486f18aac306f7d12
    Size/MD5 checksum: 52488200 37055190c86d3ac57eec835a839bc419

amd64 architecture (AMD x86_64 (AMD64))
    Size/MD5 checksum:    62776 8d90b71b18c7d4b1d7e810f935d54e8d
    Size/MD5 checksum:   197798 3b30dc78666876c8d0bb7b4787fdd8ca
    Size/MD5 checksum:  3953624 6475fbe0b2b1c80b09028089ba67221d
    Size/MD5 checksum:    53318 b9ec720b8da400758255f239813c20aa
    Size/MD5 checksum: 51569938 8f68e2681ee04a4db5f91ab45b5f86e3
    Size/MD5 checksum: 12217532 43120cb3e4a16da07e47876b71cf55e3

arm architecture (ARM)
    Size/MD5 checksum:  3926916 2471690066542ca1e81b565feeed8e70
    Size/MD5 checksum: 10910920 b80811bcd6f906f9464be3164efaddf6
    Size/MD5 checksum:    60542 f12328fb2be467a5ab8c664df5f166ec
    Size/MD5 checksum: 50937432 355819c441f0af0756534c1b1d6befd7
    Size/MD5 checksum:    48438 84bf5cd63df4c78e1f7f7a46459e3163
    Size/MD5 checksum:   191338 e0866c1938dd6cf6463a6b8c0ccc4789

hppa architecture (HP PA RISC)
    Size/MD5 checksum: 52398756 9bfa968bcce1f1d84aead2c343d02433
    Size/MD5 checksum:  3961020 8baebf6bcb9006393313f31a6bb02db0
    Size/MD5 checksum:   202134 738c0a03afd26aa91c156d563d0de1cc
    Size/MD5 checksum:    55074 fc4d7d7e32182f0f1861ae5d06540db2
    Size/MD5 checksum:    67312 b5e4ae6d90452f2232a22161f8bb83da
    Size/MD5 checksum: 13655932 a02bb8a7403602059fedafe832531844

i386 architecture (Intel ia32)
    Size/MD5 checksum: 10950918 c972632df916e3304ae1657a2b301fdc
    Size/MD5 checksum:   192848 1fcb52f25725a7c106e12f29ef73bbe8
    Size/MD5 checksum:    49112 1d2b378e81e1753d0428e220a24e16cc
    Size/MD5 checksum:    59682 3d90785a8070f5a1e5711a0981abf800
    Size/MD5 checksum:  3950506 8bfd66cc1708346cac4cb92b099925ec
    Size/MD5 checksum: 50850480 dbdbc7041b916f6e59dcac3ece619244

ia64 architecture (Intel ia64)
    Size/MD5 checksum: 51880702 56164c298160502414409173c1f04e13
    Size/MD5 checksum:   206440 13c15460c07d898861196040360a773b
    Size/MD5 checksum:    61352 6ea0c96ac063352e976c4466f6693445
    Size/MD5 checksum:    75818 82b63c4e7a04d88563ebb026ab5442d7
    Size/MD5 checksum:  3731302 69346f41cb47056702efc0681657c510
    Size/MD5 checksum: 16577294 3146e1c829f3d194c388077931a47485

mips architecture (MIPS (Big Endian))
    Size/MD5 checksum: 53214602 6207f3135c941b7348219ede580b6c92
    Size/MD5 checksum:   194438 84bef6e50347e0421f667e1148f85a6d
    Size/MD5 checksum:    49608 079ed1d622c23e8ef856e05f31435649
    Size/MD5 checksum:  3951628 f88b22d4ed68158bacbd5c51faf8e563
    Size/MD5 checksum:    60046 7afd997c7631d1e458a4c0075ba4cbbe
    Size/MD5 checksum: 11625186 e9166ce3e1de56e78022e70a28bdd0e8

mipsel architecture (MIPS (Little Endian))
    Size/MD5 checksum:    60396 3baa5cba57929c4401731de9039bb6c7
    Size/MD5 checksum: 51774640 c89a79f9cbf93b583d1afd60ec8fc70d
    Size/MD5 checksum: 11373928 e83d17a1d63b8857d49b1efc9d74d586
    Size/MD5 checksum:    50710 7d8aa386b329e2d93f7fc85f245261a4
    Size/MD5 checksum:  3686850 67e7b75dd18d74fb45b3278cafa88db1
    Size/MD5 checksum:   193734 9522b8f3bf9570de7f99f7b0ae5744e0

powerpc architecture (PowerPC)
    Size/MD5 checksum:   194474 aede4ace924b89ae12e6556a8444cc11
    Size/MD5 checksum:    62158 fef7361f1431e623e45fe8033060ab0d
    Size/MD5 checksum: 53398506 c55370e9adb2b7d7f176ea43eea77f90
    Size/MD5 checksum: 11822454 3f7a8180cb276529fa883c702f28840f
    Size/MD5 checksum:    51334 ce1f2fb8863a23314f922a7b7fded0a1
    Size/MD5 checksum:  3681454 f2597c093b57efdca38a5c9ba9fb6622

sparc architecture (Sun SPARC/UltraSPARC)
    Size/MD5 checksum:  3676578 3fbc08c0bba5dd0f14bf160018ec7034
    Size/MD5 checksum:    59830 f39bda160f8d21f97bdc46ff37000898
    Size/MD5 checksum:    49828 9cd015183ad1200e00bb0a6b4a5b544a
    Size/MD5 checksum: 50726490 7dae68f748ccc5102320f4850170f946
    Size/MD5 checksum: 11132208 8f00b97ee223c42904e2af342222b363
    Size/MD5 checksum:   191926 54388142eaa943f4a31934c0ee111a74

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
< Prev   Next >


Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.