Debian Security Advisory 1574-1 - Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. "moz_bug_r_a4" discovered that variants of CVE-2007-3738 and CVE-2007-5338 allow the execution of arbitrary code through XPCNativeWrapper. "moz_bug_r_a4" discovered that insecure handling of event handlers could lead to cross-site scripting. Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered that incorrect principal handling can lead to cross-site scripting and the execution of arbitrary code. Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats Palmgren discovered crashes in the layout engine, which might allow the execution of arbitrary code. "georgi", "tgirmann" and Igor Bukanov discovered crashes in the Javascript engine, which might allow the execution of arbitrary code.
867d2fd1761cc34c6ec290e3c113c0014359a848ac9c6f97e6a95879044031b3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1574-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
May 12, 2008 http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : icedove
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE ID : CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237
Several remote vulnerabilities have been discovered in the Icedove mail
client, an unbranded version of the Thunderbird client. The Common
Vulnerabilities and Exposures project identifies the following problems:
CVE-2008-1233
"moz_bug_r_a4" discovered that variants of CVE-2007-3738 and
CVE-2007-5338 allow the execution of arbitrary code through
XPCNativeWrapper.
CVE-2008-1234
"moz_bug_r_a4" discovered that insecure handling of event
handlers could lead to cross-site scripting.
CVE-2008-1235
Boris Zbarsky, Johnny Stenback, and "moz_bug_r_a4" discovered
that incorrect principal handling can lead to cross-site
scripting and the execution of arbitrary code.
CVE-2008-1236
Tom Ferris, Seth Spitzer, Martin Wargers, John Daggett and Mats
Palmgren discovered crashes in the layout engine, which might
allow the execution of arbitrary code.
CVE-2008-1237
"georgi", "tgirmann" and Igor Bukanov discovered crashes in the
Javascript engine, which might allow the execution of arbitrary
code.
For the stable distribution (etch), these problems have been fixed in
version 1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1.
We recommend that you upgrade your icedove packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian 4.0 (stable)
- -------------------
Stable updates are available for alpha, amd64, arm, hppa, i386, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1.dsc
Size/MD5 checksum: 1982 750841a80bc12a55c8714049c8e2f102
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a.orig.tar.gz
Size/MD5 checksum: 33904847 5533bdceb008204723782f850283be45
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1.diff.gz
Size/MD5 checksum: 640408 27408941d140932f9197f0547d7bb31d
Architecture independent packages:
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29250 21e65cf10c096d64a9d691d6f1e6cfec
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29242 276f8b7ae7bbaa8ec030e642fbb448c9
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29268 b67489e95d0d6b661377c98771a44155
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29276 35896da05ba12ac6acc6b24c6d509fd3
http://security.debian.org/pool/updates/main/i/icedove/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29260 04188b5c68812ecf191d199a7429b492
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29264 4e27be46c0eab33d785e43dd19f8019c
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29254 15fec611ffe69560ff13f63177b8f257
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29272 b7e77da68082710c4421c0e411a8355f
http://security.debian.org/pool/updates/main/i/icedove/thunderbird-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29246 63246087e1548ab3328052b93137a193
http://security.debian.org/pool/updates/main/i/icedove/thunderbird_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_all.deb
Size/MD5 checksum: 29232 806bc19f2cc731028f9d10a614de3451
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_alpha.deb
Size/MD5 checksum: 52441922 19d7a51478aeb2356795355b28fd341e
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_alpha.deb
Size/MD5 checksum: 199552 bd9c6a981d4743d78498afc0c160b286
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_alpha.deb
Size/MD5 checksum: 3960108 44b30c24eff6c09076d80bc50bcb7ecb
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_alpha.deb
Size/MD5 checksum: 53710 35fa9294193939b1cfef617f214ea717
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_alpha.deb
Size/MD5 checksum: 13475852 797d32eeb2959e5f81537825e6400e25
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_alpha.deb
Size/MD5 checksum: 64472 7bb0141a1b699dbc26d3f0c43d1cda96
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_amd64.deb
Size/MD5 checksum: 3679760 2be74437d2161071e69adeb9ae7ca909
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_amd64.deb
Size/MD5 checksum: 61718 d2c224bfe36b28b56999b84eb025b63a
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_amd64.deb
Size/MD5 checksum: 52682 6b320c569ff44560fa3debca9fc61199
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_amd64.deb
Size/MD5 checksum: 196280 a1b59bbc12dce9c50800805b1536497a
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_amd64.deb
Size/MD5 checksum: 51521766 26f926056b590c362c48c45419134e23
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_amd64.deb
Size/MD5 checksum: 12183028 9687de9ed8b52bc3b2f94c120d27b570
arm architecture (ARM)
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_arm.deb
Size/MD5 checksum: 190322 45e6393607c33f4ecd17ac97ae3a1a71
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_arm.deb
Size/MD5 checksum: 59394 01561cf45d17871fc09d1c8b71c278f9
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_arm.deb
Size/MD5 checksum: 3923352 8d586d550bb46a0e718594ee40403a0c
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_arm.deb
Size/MD5 checksum: 47616 cd497c92f494924ee0864615f909a35a
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_arm.deb
Size/MD5 checksum: 10899636 aa73849db3b476f28bc1df10e85197a8
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_arm.deb
Size/MD5 checksum: 50884498 77b1e9686fe268e8697305d00a7ddcfd
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_hppa.deb
Size/MD5 checksum: 200908 bf43001b7ea36ac2017fed0d5995abb4
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_hppa.deb
Size/MD5 checksum: 13645256 879dc4dafce6426453ff633ccbbed914
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_hppa.deb
Size/MD5 checksum: 53970 22c7fb95f0c09664eeebd79c99642fd0
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_hppa.deb
Size/MD5 checksum: 66264 9ff1df9182a8046ba3eb2a678d5df984
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_hppa.deb
Size/MD5 checksum: 52342386 c89a7aef07d1394f858f6f86e02267bf
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_hppa.deb
Size/MD5 checksum: 3958194 55eb990e93fece41ca1ba5008bdefe23
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_i386.deb
Size/MD5 checksum: 191326 044b8b6462f4f97ed794f8bb68c2f978
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_i386.deb
Size/MD5 checksum: 58688 454b45fbd716656110858eac1f726ec4
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_i386.deb
Size/MD5 checksum: 10915630 259b08e1e1d11463a8ef801b65a38866
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_i386.deb
Size/MD5 checksum: 48678 3c9c56c959bfda5fcc8af67218f2d46f
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_i386.deb
Size/MD5 checksum: 3676688 d1d32c190cb2ee48750f339e2158924c
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_i386.deb
Size/MD5 checksum: 50792070 854983df69868204fda6ff5e2364d605
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_mipsel.deb
Size/MD5 checksum: 49632 1a8803705eeabb9cc0271dbc92622d02
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_mipsel.deb
Size/MD5 checksum: 3684240 603373481c8417f2cc1e5c1fefda4dbe
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_mipsel.deb
Size/MD5 checksum: 51720194 3b00fd8f263a42dd063dfd0182628a0c
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_mipsel.deb
Size/MD5 checksum: 59310 21fe1260c554ba22b7287a0097030df6
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_mipsel.deb
Size/MD5 checksum: 192632 a0d990027ce888c6c4551d2e2912017e
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_mipsel.deb
Size/MD5 checksum: 11364440 44c5674b80a8e91cceb80d3609ec9774
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_powerpc.deb
Size/MD5 checksum: 3679326 931cba187bccd68bbd374f7cfe9849b3
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_powerpc.deb
Size/MD5 checksum: 53339970 d9984f24c76c765a4da7e479effde4f9
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_powerpc.deb
Size/MD5 checksum: 11811386 b3e9e0f72162e51538667a29b7fde72e
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_powerpc.deb
Size/MD5 checksum: 61092 2d7aefceabded3d7377ccd93e9984187
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_powerpc.deb
Size/MD5 checksum: 193330 ee0580a84886eebdb24f4ccf26f5d4bc
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_powerpc.deb
Size/MD5 checksum: 50240 d76bb7b61a861111841b558bd0d62124
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_s390.deb
Size/MD5 checksum: 52198524 1d4e2d10c96095ece6e5ef72e510167a
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_s390.deb
Size/MD5 checksum: 53296 dd0b4567cddf2bb2059024a59fac71a2
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_s390.deb
Size/MD5 checksum: 3682976 0e8fd8898a51d592259339c4815728f1
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_s390.deb
Size/MD5 checksum: 62876 0c621aace4e543c3d563d6c9eda96482
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_s390.deb
Size/MD5 checksum: 12844796 eb48aef48c73789e99af63593ab5cc99
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_s390.deb
Size/MD5 checksum: 198050 b724ab8ffad1da2516b787bbd08ee5ab
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/i/icedove/icedove_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_sparc.deb
Size/MD5 checksum: 11122980 b9529ccfbaba2d55842700bcedf3e5a7
http://security.debian.org/pool/updates/main/i/icedove/icedove-dbg_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_sparc.deb
Size/MD5 checksum: 50676676 e003473e7d4b16d51c82ec5a41c6c24a
http://security.debian.org/pool/updates/main/i/icedove/icedove-typeaheadfind_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_sparc.deb
Size/MD5 checksum: 58758 32fd31881fc16d9b63fedfd67d181877
http://security.debian.org/pool/updates/main/i/icedove/icedove-dev_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_sparc.deb
Size/MD5 checksum: 3673632 a010187bf5fcb8915270f01e2625c444
http://security.debian.org/pool/updates/main/i/icedove/icedove-inspector_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_sparc.deb
Size/MD5 checksum: 190856 964eefa305fbed0c638d338cd61efbd3
http://security.debian.org/pool/updates/main/i/icedove/icedove-gnome-support_1.5.0.13+1.5.0.15b.dfsg1+prepatch080417a-0etch1_sparc.deb
Size/MD5 checksum: 48764 26d5a91f26d267f69e7fd3aa1cf1ffc9
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFIKGuLXm3vHE4uyloRAka7AKCl6/aXitkjoMokw0Qb9tJBUfsMsQCfdsHs
137paU/uKvMmmsJsLq0LIZA=
=VsU/
-----END PGP SIGNATURE-----