Debians sikkerhedsbulletin

DSA-1696-1 icedove -- flere sårbarheder

Rapporteret den:
7. jan 2009
Berørte pakker:
icedove
Sårbar:
Ja
Referencer i sikkerhedsdatabaser:
I Mitres CVE-ordbog: CVE-2008-0016, CVE-2008-1380, CVE-2008-3835, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060, CVE-2008-4061, CVE-2008-4062, CVE-2008-4065, CVE-2008-4067, CVE-2008-4068, CVE-2008-4070, CVE-2008-4582, CVE-2008-5012, CVE-2008-5014, CVE-2008-5017, CVE-2008-5018, CVE-2008-5021, CVE-2008-5022, CVE-2008-5024, CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5511, CVE-2008-5512.
Yderligere oplysninger:

Flere fjernudnytbare sårbarheder er opdaget i mailklienten Icedove, en version af mailklienten Thunderbird. Projektet Common Vulnerabilities and Exposures har registreret følgende problemer:

  • CVE-2008-0016

    Justin Schuh, Tom Cross og Peter Williams opdagede et bufferoverløb i fortolkeren af UTF-8-URL'er, hvilket måske kunne føre til udførelse af vilkårlig kode. (MFSA 2008-37)

  • CVE-2008-1380

    Man opdagede at nedbrud i JavaScript-maskinen potentielt kunne føre til udførelse af vilkårlig kode. (MFSA 2008-20)

  • CVE-2008-3835

    moz_bug_r_a4 opdagede at samme ophav-kontrollen i nsXMLDocument::OnChannelRedirect() kunne omgås. (MFSA 2008-38)

  • CVE-2008-4058

    moz_bug_r_a4 opdagede en sårbarhed, der kunne medføre en Chrome-rettighedsforøgelse gennem XPCNativeWrappers. (MFSA 2008-41)

  • CVE-2008-4059

    moz_bug_r_a4 opdagede en sårbarhed, der kunne medføre en Chrome-rettighedsforøgelse gennem XPCNativeWrappers. (MFSA 2008-41)

  • CVE-2008-4060

    Olli Pettay og moz_bug_r_a4 opdagede en Chrome-rettighedsforøgelsessårbarhed i XSLT-håndtering. (MFSA 2008-41)

  • CVE-2008-4061

    Jesse Ruderman opdagede et nedbrud i layout-maskinen, hvilket måske kunne gøre det muligt at udføre vilkårlig kode. (MFSA 2008-42)

  • CVE-2008-4062

    Igor Bukanov, Philip Taylor, Georgi Guninski og Antoine Labour opdagede nedbrud i JavaScript-maskinen, hvilket måske kunne gøre det muligt at udføre vilkårlig kode. (MFSA 2008-42)

  • CVE-2008-4065

    Dave Reed opdagede at nogle Unicode-byterækkefølgemarkeringer blev fjernet fra JavaScript-kode før udførelse, hvilket kunne medføre udførelse af kode, der ellers var del af en streng i anførselstegn. (MFSA 2008-43)

  • CVE-2008-4067

    Man opdagede at et mappegennemløb gjorde det muligt for angribere at læse vilkårlige filer via et bestemt tegn. (MFSA 2008-44)

  • CVE-2008-4068

    Man opdagede at et mappegennemløb gjorde det muligt for angribere at omgå sikkerhedsbegrænsninger og få fat i følsomme oplysninger. (MFSA 2008-44)

  • CVE-2008-4070

    Man opdagede at et bufferoverløb kunne udløses gennem en lang header i en nyhedsartikel, hvilket kunne føre til udførelse af vilkårlig kode. (MFSA 2008-46)

  • CVE-2008-4582

    Liu Die Yu og Boris Zbarsky opdagede en informationslækage gennem lokale genvejsfiler. (MFSA 2008-47, MFSA 2008-59)

  • CVE-2008-5012

    Georgi Guninski, Michal Zalewski og Chris Evan opdagede at canvas-elementet kunne anvendes til at omgå samme ophav-begrænsninger. (MFSA 2008-48)

  • CVE-2008-5014

    Jesse Ruderman opdagede at en programmingsfejl i objektet window.__proto__.__proto__ kunne føre til udførelse af vilkårlig kode. (MFSA 2008-50)

  • CVE-2008-5017

    Man opdagede at nedbrud i layout-maskinen kunne føre til udførelse af vilkårlig kode. (MFSA 2008-52)

  • CVE-2008-5018

    Man opdagede at nedbrud i JavaScript-maskinen kunne føre til udførelse af vilkårlig kode. (MFSA 2008-52)

  • CVE-2008-5021

    Man opdagede at et nedbrud i nsFrameManager måske kunne føre til udførelse af vilkårlig kode. (MFSA 2008-55)

  • CVE-2008-5022

    moz_bug_r_a4 opdagede at samme ophav-kontroller i nsXMLHttpRequest::NotifyEventListeners() kunne omgås. (MFSA 2008-56)

  • CVE-2008-5024

    Chris Evans opdagede at anførselstegn blev indkaplset på ukorrekt vis i standardnavnerummet i E4X-dokumenter. (MFSA 2008-58)

  • CVE-2008-5500

    Jesse Ruderman opdagede at layout-maskinen var sårbar over for lammelsesangreb (DoS), der måske kunne udløse hukommelseskorruption og heltalsoverløb. (MFSA 2008-60)

  • CVE-2008-5503

    Boris Zbarsky opdagede at et informationsafsløringsangreb kunne udføres gennem XBL-bindinger. (MFSA 2008-61)

  • CVE-2008-5506

    Marius Schilder opdagede at det var muligt at få fat i følsomme oplysninger gennem XMLHttpRequest. (MFSA 2008-64)

  • CVE-2008-5507

    Chris Evans opdagede at det var muligt at få fat i følsomme oplysninger gennem en JavaScript-URL. (MFSA 2008-65)

  • CVE-2008-5508

    Chip Salzenberg opdagede mulige phising-angreb gennem URL'er med foranstillet whitespace eller kontroltegn. (MFSA 2008-66)

  • CVE-2008-5511

    Man opdagede at det var muligt at udføre skripter på tværs af websteder gennem en XBL-binding til et "unloaded document." (MFSA 2008-68)

  • CVE-2008-5512

    Man opdagede at det var muligt at køre vilkårligt JavaScript med Chrome-rettigheder gennem ukendte angrebsvinkler. (MFSA 2008-68)

I den stabile distribution (etch) er disse problemer rettet i version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1. Pakker til s390 vil blive stillet til rådighed senere.

I den kommende stabile distribution (lenny) vil disse problemer snart blive rettet.

I den ustabile (sid) distribution er disse problemer rettet i version 2.0.0.19-1.

Vi anbefaler at du opgraderer dine icedove-pakker.

Rettet i:

Debian GNU/Linux 4.0 (etch)

Kildekode:
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1.diff.gz
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i.orig.tar.gz
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1.dsc
Arkitekturuafhængig komponent:
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_all.deb
Alpha:
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_powerpc.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080614i-0etch1_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.