Get the LinuxSecurity news you want faster with RSS
Powered By
Debian: 2569-1: icedove: Multiple vulnerabilities
Posted by Benjamin D. Thomas
Multiple vulnerabilities have been discovered in Icedove, Debian's version of the Mozilla Thunderbird mail client. The Common Vulnerabilities and Exposures project identifies the following problems: [More...]
- -------------------------------------------------------------------------
Debian Security Advisory DSA-2569-1 security@debian.org
http://www.debian.org/security/ Florian Weimer
October 29, 2012 http://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : icedove
Vulnerability : several
Problem type : remote
Debian-specific: no
CVE ID : CVE-2012-3982 CVE-2012-3986 CVE-2012-3990 CVE-2012-3991
CVE-2012-4179 CVE-2012-4180 CVE-2012-4182 CVE-2012-4186
CVE-2012-4188
Multiple vulnerabilities have been discovered in Icedove, Debian's
version of the Mozilla Thunderbird mail client. The Common
Vulnerabilities and Exposures project identifies the following
problems:
CVE-2012-3982
Multiple unspecified vulnerabilities in the browser engine
allow remote attackers to cause a denial of service (memory
corruption and application crash) or possibly execute
arbitrary code via unknown vectors.
CVE-2012-3986
Icedove does not properly restrict calls to DOMWindowUtils
methods, which allows remote attackers to bypass intended
access restrictions via crafted JavaScript code.
CVE-2012-3990
A Use-after-free vulnerability in the IME State Manager
implementation allows remote attackers to execute arbitrary
code via unspecified vectors, related to the
nsIContent::GetNameSpaceID function.
CVE-2012-3991
Icedove does not properly restrict JSAPI access to the
GetProperty function, which allows remote attackers to bypass
the Same Origin Policy and possibly have unspecified other
impact via a crafted web site.
CVE-2012-4179
A use-after-free vulnerability in the
nsHTMLCSSUtils::CreateCSSPropertyTxn function allows remote
attackers to execute arbitrary code or cause a denial of
service (heap memory corruption) via unspecified vectors.
CVE-2012-4180
A heap-based buffer overflow in the
nsHTMLEditor::IsPrevCharInNodeWhitespace function allows
remote attackers to execute arbitrary code via unspecified
vectors.
CVE-2012-4182
A use-after-free vulnerability in the
nsTextEditRules::WillInsert function allows remote attackers
to execute arbitrary code or cause a denial of service (heap
memory corruption) via unspecified vectors.
CVE-2012-4186
A heap-based buffer overflow in the
nsWav-eReader::DecodeAudioData function allows remote attackers
to execute arbitrary code via unspecified vectors.
CVE-2012-4188
A heap-based buffer overflow in the Convolve3x3 function
allows remote attackers to execute arbitrary code via
unspecified vectors.
For the stable distribution (squeeze), these problems have been fixed
in version 3.0.11-1+squeeze14.
For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 10.0.9-1.
We recommend that you upgrade your icedove packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
