196481 2007-10-20 02:22 0000 mail-client/mozilla-thunderbird (-bin) < 2.0.0.9 Memory management vulnerabilities (CVE-2007-{5339,5340}) 2007-11-20 21:29:14 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27313/ A2 [glsa] P2 major --- 199299 1 rbu@gentoo.org security@gentoo.org mips@gentoo.org mozilla@gentoo.org rbu@gentoo.org 2007-10-20 02:22:10 0000 Secunia: Some vulnerabilities have been reported in Mozilla Thunderbird, which potentially can be exploited by malicious people to compromise a user's system. 1) Various errors in the browser engine can be exploited to cause a memory corruption. 2) Various errors in the Javascript engine can be exploited to cause a memory corruption. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. Fixed in Thunderbird 2.0.0.8 rbu@gentoo.org 2007-10-20 02:23:07 0000 Mozilla, please advise. rbu@gentoo.org 2007-10-24 22:29:36 0000 Should we bump the package ourselves? The patches are available without a lot of hassle. jaervosz@gentoo.org 2007-10-25 06:34:14 0000 In general we should bump packages if maintainers don't respond in a timely manner. Though we should try to poke them on IRC at least beforehand. rbu@gentoo.org 2007-10-25 07:32:09 0000 (In reply to comment #3) > In general we should bump packages if maintainers don't respond in a timely > manner. Though we should try to poke them on IRC at least beforehand. Seems I wasn't clear enough. I meant we (Gentoo's mozilla herd) should bump it since Mozilla upstream did not release yet. jaervosz@gentoo.org 2007-10-25 07:36:19 0000 Oh, I'm confusing roles here. I won't stand in the way of the herd bumping it's package:) armin76@gentoo.org 2007-10-25 10:26:28 0000 Where are the patches? rbu@gentoo.org 2007-10-28 15:07:11 0000 (In reply to comment #6) > Where are the patches? Debian ships some for 1.5 which are pretty much undocumented because of the embargo. Ubuntu released a "pre" snapshot. In light of the other regressions you mentioned we should probably wait for upstream. armin76@gentoo.org 2007-11-15 15:11:48 0000 In CVS To be done: mail-client/mozilla-thunderbird-2.0.0.9 x11-plugins/enigmail-0.95.3-r1 mail-client/mozilla-thunderbird-bin-2.0.0.9 rbu@gentoo.org 2007-11-15 16:05:58 0000 Arches, please test and mark stable mail-client/mozilla-thunderbird-2.0.0.9. Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86" x11-plugins/enigmail-0.95.5-r1. Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86" mail-client/mozilla-thunderbird-bin-2.0.0.9: Target keywords : "amd64 x86" jackdachef@gmail.com 2007-11-15 20:21:56 0000 compiled and seems to work fine (still testing): genlop -t mozilla-thunderbird * mail-client/mozilla-thunderbird Thu Nov 15 21:17:42 2007 >>> mail-client/mozilla-thunderbird-2.0.0.9 merge time: 18 minutes and 44 seconds. Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.2.2, glibc-2.7-r0, 2.6.23-kamikaze5-amd64 x86_64) ================================================================= System uname: 2.6.23-kamikaze5-amd64 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz Timestamp of tree: Thu, 15 Nov 2007 19:30:01 +0000 app-shells/bash: 3.2_p17-r1 dev-java/java-config: 1.3.7, 2.1.2-r1 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 2.0.0_rc6 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3, 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.22-r2 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" maekke@gentoo.org 2007-11-15 21:16:42 0000 x86 stable beandog@gentoo.org 2007-11-15 23:47:27 0000 amd64 stable armin76@gentoo.org 2007-11-16 15:48:35 0000 alpha/ia64/sparc stable i said enigmail-0.95.3-r1, but .5 is fine as well :) corsair@gentoo.org 2007-11-18 13:39:29 0000 ppc64 stable dertobi123@gentoo.org 2007-11-18 15:38:06 0000 ppc stable py@gentoo.org 2007-11-18 21:33:45 0000 GLSA 200711-24