Debian Security Advisory
DSA-2433-1 iceweasel -- several vulnerabilities
- Date Reported:
- 15 Mar 2012
- Affected Packages:
- iceweasel
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2012-0455, CVE-2012-0456, CVE-2012-0458, CVE-2012-0461.
- More information:
-
Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian.
- CVE-2012-0455
Soroush Dalili discovered that a cross-site scripting countermeasure related to JavaScript URLs could be bypassed.
- CVE-2012-0456
Atte Kettunen discovered an out of bounds read in the SVG Filters, resulting in memory disclosure.
- CVE-2012-0458
Mariusz Mlynski discovered that privileges could be escalated through a JavaScript URL as the home page.
- CVE-2012-0461
Bob Clary discovered memory corruption bugs, which may lead to the execution of arbitrary code.
For the stable distribution (squeeze), this problem has been fixed in version 3.5.16-13.
For the unstable distribution (sid), this problem has been fixed in version 10.0.3esr-1.
For the experimental distribution, this problem has been fixed in version 11.0-1.
We recommend that you upgrade your iceweasel packages.
- CVE-2012-0455