Debian update for icedove
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 19 |
| CVE-ID | CVE-2017-5470 CVE-2017-5472 CVE-2017-7749 CVE-2017-7750 CVE-2017-7751 CVE-2017-7752 CVE-2017-7754 CVE-2017-7756 CVE-2017-7757 CVE-2017-7758 CVE-2017-7764 CVE-2017-7771 CVE-2017-7772 CVE-2017-7773 CVE-2017-7774 CVE-2017-7775 CVE-2017-7776 CVE-2017-7777 CVE-2017-7778 |
| CWE-ID | CWE-119 CWE-416 CWE-125 CWE-200 CWE-787 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 19 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU7080
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5470
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to boundary error. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free error
EUVDB-ID: #VU7063
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-5472
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error with the frameloader during tree reconstruction while regenerating CSS layout. A remote attacker can use a node in the tree that no longer exists, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free error
EUVDB-ID: #VU7064
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7749
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error when using an incorrect URL during the reloading of a docshell. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use-after-free error
EUVDB-ID: #VU7065
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7750
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error during video control operations when a <track>
element holds a reference to an older window if that window has been replaced in the DOM. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free error
EUVDB-ID: #VU7066
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7751
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error with content viewer listeners. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use-after-free error
EUVDB-ID: #VU7067
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7752
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error during specific user interactions with the input method editor (IME) in some languages due to how events are handled. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU7068
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7754
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to out-of-bounds read in WebGL. A remote attacker can use a specially crafted ImageInfo object during WebGL operations and read arbitrary files.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Use-after-free error
EUVDB-ID: #VU7070
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7756
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free and use-after-scope error when logging errors from headers for XML HTTP Requests (XHR). A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free error
EUVDB-ID: #VU7071
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7757
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in IndexedDB when one of its objects is destroyed in memory while a method on it is still being executed. A remote attacker can trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds read
EUVDB-ID: #VU7072
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7758
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive on the target system.
The weakness exists due to out-of-bounds read with the Opus encoder when the number of channels in an audio stream changes while the encoder is in use. A remote attacker can trigger memory corruption and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Information disclosure
EUVDB-ID: #VU7075
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7764
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The weakness exists due to mix of characters from the "Canadian Syllabics" unicode block with characters from other unicode blocks in the addressbar instead of being rendered as their raw "punycode" form. A remote attacker can use characters confusion to perform domain name spoofing attacks and read arbitrary files.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Out-of-bounds read
EUVDB-ID: #VU7082
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7771
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to out-of-bounds-read. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Heap-buffer-overflow write
EUVDB-ID: #VU7083
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7772
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Graphite 2 library due to heap-buffer-overflow write. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Heap-buffer-overflow write
EUVDB-ID: #VU7084
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7773
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Graphite 2 library due to heap-buffer-overflow write. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Out-of-bounds read
EUVDB-ID: #VU7085
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7774
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to out-of-bounds-read. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Denial of service
EUVDB-ID: #VU7086
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7775
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to an error in 'size() > n'. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Heap-buffer-overflow read
EUVDB-ID: #VU7087
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7776
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to heap-buffer-overflow read. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Denial of service
EUVDB-ID: #VU7088
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-7777
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in Graphite 2 library due to use of uninitialized memory. A remote attacker can cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Out-of-bounds write
EUVDB-ID: #VU7081
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-7778
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists in Graphite 2 library due to out-of-bounds-write. A remote attacker can execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 1:52.2.1-4~deb8u1, 1:52.2.1-4~deb9u1
Vulnerable software versionsDebian Linux: All versions
CPE2.3 External linkshttps://www.mozilla.org/en-US/security/advisories/mfsa2017-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
