Articles / Debian: Security update for…

Debian: Security update for Icedove

Several vulnerabilities have been discovered in Icedove, a mail client based on Thunderbird. The JSSubScriptLoader does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior. A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. Iceweasel does not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. Updated packages are available from security.debian.org.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-2345-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
November 11, 2011                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : icedove
Vulnerability  : several
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CVE-2011-3647 CVE-2011-3648 CVE-2011-3650

Several vulnerabilities have been discovered in Icedove, a mail client
based on Thunderbird.

CVE-2011-3647
       The JSSubScriptLoader does not properly handle
       XPCNativeWrappers during calls to the loadSubScript method in
       an add-on, which makes it easier for remote attackers to gain
       privileges via a crafted web site that leverages certain
       unwrapping behavior.

CVE-2011-3648
  A cross-site scripting (XSS) vulnerability allows remote
  attackers to inject arbitrary web script or HTML via crafted
  text with Shift JIS encoding.

CVE-2011-3650 
       Iceweasel does not properly handle JavaScript files that
  contain many functions, which allows user-assisted remote
  attackers to cause a denial of service (memory corruption and
  application crash) or possibly have unspecified other impact
  via a crafted file that is accessed by debugging APIs, as
  demonstrated by Firebug.

For the stable distribution (squeeze), these problems have been fixed
in version 3.0.11-1+squeeze6.

For the testing distribution (wheezy) and the unstable distribution
(sid), these problems have been fixed in version 3.1.15-1.

We recommend that you upgrade your icedove packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQEcBAEBAgAGBQJOvZIdAAoJEL97/wQC1SS+eRsIAJE6hacrJBLdG2FezXbqKK2B
juHyC245DzaZ2sqO4RsP6VDKNdop6URQljoJfn7ewh4tw4oribXhV00CiwpFaLM7
ui+YKyJ22vCtrp5DBIzsirR08c7/Dy+jKDa2iq4jCJDjmEzpbfHzFbW6jaMKtoge
7SBGbmaHVKyJbLhIY9E9i1U72EJrBJNqQ31gChvaZpJ0N6LzYL4z/ze4lXLgcS6R
k/0XH396nbLO2zgFxi0ok9iYQZblCoIlDTiTpLqWVFyeFG7LHh15LZPgUclhwZoe
8PhOByLk9/YcRW+ooKKjYwfT1qzYOOuU8y4ozPEKLMx5dHC9H2//xKviQNMJO+4=
=uqXx
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.