Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-1707-1 iceweasel -- several vulnerabilities

Related Vulnerabilities: CVE-2008-5500   CVE-2008-5503   CVE-2008-5504   CVE-2008-5506   CVE-2008-5507   CVE-2008-5508   CVE-2008-5510   CVE-2008-5511   CVE-2008-5512   CVE-2008-5513  

Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2008-5500 Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60) CVE-2008-5503 Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61) CVE-2008-5504 It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62) CVE-2008-5506 Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64) CVE-2008-5507 Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65) CVE-2008-5508 Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66) CVE-2008-5510 Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67) CVE-2008-5511 It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68) CVE-2008-5512 It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68) CVE-2008-5513 moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69) For the stable distribution (etch) these problems have been fixed in version 2.0.0.19-0etch1. For the testing distribution (lenny) and the unstable distribution (sid) these problems have been fixed in version 3.0.5-1. Please note iceweasel in Lenny links dynamically against xulrunner. We recommend that you upgrade your iceweasel package.

Source

Debian Security Advisory

DSA-1707-1 iceweasel -- several vulnerabilities

Date Reported:
15 Jan 2009
Affected Packages:
iceweasel
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2008-5500, CVE-2008-5503, CVE-2008-5504, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE-2008-5511, CVE-2008-5512, CVE-2008-5513.
More information:

Several remote vulnerabilities have been discovered in the Iceweasel web browser, an unbranded version of the Firefox browser. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2008-5500

    Jesse Ruderman discovered that the layout engine is vulnerable to DoS attacks that might trigger memory corruption and an integer overflow. (MFSA 2008-60)

  • CVE-2008-5503

    Boris Zbarsky discovered that an information disclosure attack could be performed via XBL bindings. (MFSA 2008-61)

  • CVE-2008-5504

    It was discovered that attackers could run arbitrary JavaScript with chrome privileges via vectors related to the feed preview. (MFSA 2008-62)

  • CVE-2008-5506

    Marius Schilder discovered that it is possible to obtain sensible data via a XMLHttpRequest. (MFSA 2008-64)

  • CVE-2008-5507

    Chris Evans discovered that it is possible to obtain sensible data via a JavaScript URL. (MFSA 2008-65)

  • CVE-2008-5508

    Chip Salzenberg discovered possible phishing attacks via URLs with leading whitespaces or control characters. (MFSA 2008-66)

  • CVE-2008-5510

    Kojima Hajime and Jun Muto discovered that escaped null characters were ignored by the CSS parser and could lead to the bypass of protection mechanisms (MFSA 2008-67)

  • CVE-2008-5511

    It was discovered that it is possible to perform cross-site scripting attacks via an XBL binding to an "unloaded document." (MFSA 2008-68)

  • CVE-2008-5512

    It was discovered that it is possible to run arbitrary JavaScript with chrome privileges via unknown vectors. (MFSA 2008-68)

  • CVE-2008-5513

    moz_bug_r_a4 discovered that the session-restore feature does not properly sanitise input leading to arbitrary injections. This issue could be used to perform an XSS attack or run arbitrary JavaScript with chrome privileges. (MFSA 2008-69)

For the stable distribution (etch) these problems have been fixed in version 2.0.0.19-0etch4.

For the testing distribution (lenny) and the unstable distribution (sid) these problems have been fixed in version 3.0.5-1. Please note iceweasel in Lenny links dynamically against xulrunner.

We recommend that you upgrade your iceweasel package.

Fixed in:

Debian GNU/Linux 4.0 (etch)

Source:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4.diff.gz
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19.orig.tar.gz
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4.dsc
Architecture-independent component:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dom-inspector_2.0.0.19-0etch4_all.deb
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-gnome-support_2.0.0.19-0etch4_all.deb
http://security.debian.org/pool/updates/main/i/iceweasel/firefox-dom-inspector_2.0.0.19-0etch4_all.deb
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox_2.0.0.19-0etch4_all.deb
http://security.debian.org/pool/updates/main/i/iceweasel/firefox_2.0.0.19-0etch4_all.deb
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-gnome-support_2.0.0.19-0etch4_all.deb
http://security.debian.org/pool/updates/main/i/iceweasel/mozilla-firefox-dom-inspector_2.0.0.19-0etch4_all.deb
Alpha:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_alpha.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_alpha.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_amd64.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_amd64.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_arm.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_arm.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_arm.deb
HP Precision:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_hppa.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_hppa.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_i386.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_i386.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_ia64.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_ia64.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_ia64.deb
Big-endian MIPS:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_mips.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_mips.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_mips.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_mipsel.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_mipsel.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_powerpc.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_powerpc.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_s390.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_s390.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel_2.0.0.19-0etch4_sparc.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-gnome-support_2.0.0.19-0etch4_sparc.deb
http://security.debian.org/pool/updates/main/i/iceweasel/iceweasel-dbg_2.0.0.19-0etch4_sparc.deb

MD5 checksums of the listed files are available in the original advisory.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started