Debian Security Advisory
netscape navigator/communicator -- remote exploit
- Date Reported:
- 01 Sep 2000
- Affected Packages:
- navigator, communicator
- Vulnerable:
- Yes
- Security database references:
- No other external database security references currently available.
- More information:
- Existing Netscape Communicator/Navigator packages contain
the following vulnerabilities:
- Netscape Communicator JPEG-Comment Heap Overwrite Vulnerability
- executes arbitrary code in the comment field of a JPEG image
- Netscape Communicator/Navigator versions 4.0 through 4.73 are vulnerable
- Multiple Vendor Java Virtual Machine Listening Socket Vulnerability
- Netscape Communicator URL Read Vulnerability
- items 2 and 3 together are known as the "Brown Orifice" vulnerability
- can be exploited to expose the contents of your computer to anyone on the Internet, allowing to read files visible to the user running the browser
- Netscape Communicator/Navigator versions 4.0 through 4.74 are vulnerable
There are several ways to remove the netscape packages. A quick way to do so is to run "apt-get remove netscape-base-473", substituting 473 with 406, 407, 408, 45, 451, 46, 461, 47, or 472 as needed. If you do not have apt-get, you can run "dpkg --remove communicator-smotif-473 communicator-base-473 netscape-java-473 navigator-smotif-473 navigator-base-473", again substituting any other versions you may have installed. You may also remove the packages via dselect.
If you have "deb http://security.debian.org/ potato/updates main contrib non-free" in /etc/apt/sources.list you can run "apt-get update ; apt-get install communicator" to install the full communicator package (including mail and news) or "apt-get update ; apt-get install navigator" for the browser only. A typical manual install includes communicator-smotif-475, communicator-base-475, netscape-base-475, netscape-base-4, and netscape-java-475.
- Netscape Communicator JPEG-Comment Heap Overwrite Vulnerability
- Fixed in:
-
- Source:
- http://security.debian.org/dists/potato/updates/non-free/source/netscape4.75_4.75-2.diff.gz
- http://security.debian.org/dists/potato/updates/non-free/source/netscape4.75_4.75-2.dsc
- http://security.debian.org/dists/potato/updates/non-free/source/netscape4.75_4.75.orig.tar.gz
- http://security.debian.org/dists/potato/updates/non-free/source/netscape4.base_4.75-1.dsc
- http://security.debian.org/dists/potato/updates/non-free/source/netscape4.base_4.75-1.tar.gz
- http://security.debian.org/dists/potato/updates/non-free/source/netscape4.75_4.75-2.dsc
- Intel ia32:
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator-base-475_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator-nethelp-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator-smotif-475-libc5_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator-smotif-475_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator-spellchk-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator_4.75-1_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/navigator-base-475_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/navigator-nethelp-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/navigator-smotif-475-libc5_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/navigator-smotif-475_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/navigator_4.75-1_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-base-4-libc5_4.75-1_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-base-475_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-base-4_4.75-1_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-ja-resource-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-java-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-ko-resource-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-smotif-475-libc5_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-smotif-475_4.75-2_i386.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/netscape-zh-resource-475_4.75-2_all.deb
- http://security.debian.org/dists/potato/updates/non-free/binary-i386/communicator-nethelp-475_4.75-2_all.deb