MGASA-2017-0059

Updated Iceape packages derived from Seamonkey include security fixes from Mozilla Firefox:

Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Seamonkey before 2.46 allows remote attackers to cause a denial of service (boolean out-of-bounds write) or possibly have unspecified other impact via Unicode characters that are mishandled during text conversion. (CVE-2016-5270)

The PropertyProvider::GetSpacingInternal function in Seamonkey before 2.46 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via text runs in conjunction with a "display: contents" Cascading Style Sheets (CSS) property. (CVE-2016-5271)

The nsImageGeometryMixin class in Seamonkey before 2.46 does not properly perform a cast of an unspecified variable during handling of INPUT elements, which allows remote attackers to execute arbitrary code via a crafted web site. (CVE-2016-5272)

Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Seamonkey before 2.46 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an aria-owns attribute. (CVE-2016-5276)

Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Seamonkey before 2.46 allows remote attackers to execute arbitrary code by leveraging improper interaction between restyling and the Web Animations model implementation. (CVE-2016-5274)

Use-after-free vulnerability in the nsRefreshDriver::Tick function in Seamonkey before 2.46 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation. (CVE-2016-5277)

Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function in Seamonkey before 2.46 allows remote attackers to execute arbitrary code via a crafted image data that is mishandled during the encoding of an image frame to an image. (CVE-2016-5278)

Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap function in Seamonkey before 2.46 allows remote attackers to execute arbitrary code via bidirectional text. (CVE-2016-5280)

Use-after-free vulnerability in the DOMSVGLength class in Seamonkey before 2.46 allows remote attackers to execute arbitrary code by leveraging improper interaction between JavaScript code and an SVG document. (CVE-2016-5281)

Seamonkey before 2.46 relies on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority. (CVE-2016-5284)

Multiple unspecified vulnerabilities in the browser engine in Seamonkey before 2.46 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. (CVE-2016-5257)