Lucene search

HistoryFeb 24, 2008 - 12:00 a.m.

iceape - several vulnerabilities


0.94 High




Several remote vulnerabilities have been discovered in the Iceape internet
suite, an unbranded version of the Seamonkey Internet Suite. The Common
Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2008-0412
    Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren and Paul
    Nickerson discovered crashes in the layout engine, which might allow
    the execution of arbitrary code.
  • CVE-2008-0413
    Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown,
    Philip Taylor and tgirmann discovered crashes in the Javascript
    engine, which might allow the execution of arbitrary code.
  • CVE-2008-0414
    hong and Gregory Fleischer discovered that file input focus
    vulnerabilities in the file upload control could allow information
    disclosure of local files.
  • CVE-2008-0415
    moz_bug_r_a4 and Boris Zbarsky discovered several
    vulnerabilities in Javascript handling, which could allow
    privilege escalation.
  • CVE-2008-0417
    Justin Dolske discovered that the password storage mechanism could
    be abused by malicious web sites to corrupt existing saved passwords.
  • CVE-2008-0418
    Gerry Eisenhaur and moz_bug_r_a4 discovered that a directory
    traversal vulnerability in chrome: URI handling could lead to
    information disclosure.
  • CVE-2008-0419
    David Bloom discovered a race condition in the image handling of
    designMode elements, which can lead to information disclosure and
    potentially the execution of arbitrary code.
  • CVE-2008-0591
    Michal Zalewski discovered that timers protecting security-sensitive
    dialogs (by disabling dialog elements until a timeout is reached)
    could be bypassed by window focus changes through Javascript.
  • CVE-2008-0592
    It was discovered that malformed content declarations of saved
    attachments could prevent a user in the opening local files
    with a .txt file name, resulting in minor denial of service.
  • CVE-2008-0593
    Martin Straka discovered that insecure stylesheet handling during
    redirects could lead to information disclosure.
  • CVE-2008-0594
    Emil Ljungdahl and Lars-Olof Moilanen discovered that phishing
    protections could be bypassed with <div> elements.

The Mozilla products from the old stable distribution (sarge) are no
longer supported with security updates.

For the stable distribution (etch), these problems have been fixed in
version 1.0.12~pre080131b-0etch1.

We recommend that you upgrade your iceape packages.