Gentoo Full Text Bug Listing

Description:

Opened: 2006-04-22 14:02 0000

splitting #129924 in one bug per package for helping handling

http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird

Fixed in Thunderbird 1.0.8
MFSA 2006-27 Table Rebuilding Code Execution Vulnerability
MFSA 2006-26 Mail Multiple Information Disclosure
MFSA 2006-25 Privilege escalation through Print Preview
MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
MFSA 2006-21 JavaScript execution in mail when forwarding in-line
MFSA 2006-19 Cross-site scripting using .valueOf.call()
MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
MFSA 2006-17 cross-site scripting through window.controllers
MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
MFSA 2006-14 Privilege escalation via XBL.method.eval
MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
MFSA 2006-10 JavaScript garbage-collection hazard audit
MFSA 2006-09 Cross-site JavaScript injection using event handlers
MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist()
MFSA 2006-01 JavaScript garbage-collection hazards

------- Comment #1 From Raphael Marichez 2006-04-22 14:05:46 0000 -------

same as the moz-1.0.8 thing (#129924), moz team, please provide a new ebuild
mail-client/mozilla-thunderbird-1.0.8

------- Comment #2 From Jory A. Pratt 2006-04-22 20:54:19 0000 -------

Please keyword 1.5.0.2 were possible, ONLY keyword 1.0.8 for those who can NOT
mark 1.5.0.2. AMD64 and X86 DO NOT forget -bin.

------- Comment #4 From Jory A. Pratt 2006-04-22 21:01:27 0000 -------

If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not
getting it in original post.

------- Comment #5 From Tobias Scherbaum 2006-04-23 00:22:44 0000 -------

(In reply to comment #4)
> If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not
> getting it in original post.

There's no enigmail-0.94.0-r2, I guess we can keyword enigmail-0.94.0-r1?

------- Comment #6 From Tobias Scherbaum 2006-04-23 08:26:51 0000 -------

<@Anarchy> dertobi123, enigmail-0.94.0-r2 is in the tree I forgot to make the
commit with all other commits and bumps I am working on

so, ppc stable :)

------- Comment #13 From Thierry Carrez (RETIRED) 2006-05-06 09:18:44 0000 -------

We'll probably have to publish the GLSA and say alpha is still affected, and
update it when it gets fixed...

------- Comment #14 From Thierry Carrez (RETIRED) 2006-05-08 10:40:31 0000 -------

A temporary GLSA was sent : GLSA 200605-09
We'll update it once TB reaches stable on alpha

------- Comment #15 From Thomas Cort (RETIRED) 2006-06-02 06:00:57 0000 -------

(In reply to comment #12)
> it's worrying. Is #131359 progressing ? ETA ?

No progress or ETA, so I've masked =mail-client/mozilla-thunderbird-1.0.7* in
profiles/default-linux/alpha/package.mask and dropped the ~alpha keyword from
thunderbird-1.0.8 as it is badly broken on alpha (Bug #131359) and 1.5 doesn't
compile (also Bug #131359).

BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to
still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything.

------- Comment #16 From Raphael Marichez 2006-06-02 06:18:05 0000 -------

> BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to
> still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything.
> 

contrary to the "supported" arches [1], ia64 is not obliged to stabilize the
ebuilds concerning the security issues before we send a GLSA.


[1] http://www.gentoo.org/security/en/vulnerability-policy.xml , part 1,
"Scope"

------- Comment #17 From Raphael Marichez 2006-06-11 12:03:53 0000 -------

Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
affected by several vulnerabilities.
I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

------- Comment #18 From Thomas Cort (RETIRED) 2006-06-13 11:40:38 0000 -------

(In reply to comment #17)
> Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
> keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
> affected by several vulnerabilities.
> I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

mozilla-thunderbird-1.5.0.4 is also broken on alpha. It uses ~100% of the CPU
and the main window never comes up. This is similar to the problem we are
having with firefox-1.5 on alpha, see Bug #128777. This bug can probably be
closed since it isn't looking like we will be able to mark thunderbird-1.5
stable on alpha and alpha has all affected versions of thunderbird masked in
profiles/default-linux/alpha/package.mask.

Output of `top`:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3593 tcort     20   0 33120  32m  23m R 93.2 10.4   9:52.85 thunderbird-bin

------- Comment #19 From Raphael Marichez 2006-06-13 12:58:16 0000 -------

> mozilla-thunderbird-1.5.0.4 is also broken on alpha. 

OK, so you will have to let thunderbird masked :(

you're right, i can close this bug. Same for bug 120485.

Bug#: 130888	Product: Gentoo Security	Version: unspecified	Platform: All
OS/Version: Linux	Status: RESOLVED	Severity: major	Priority: P2
Resolution: FIXED	Assigned To: security@gentoo.org	Reported By: falco@gentoo.org
Component: Vulnerabilities
URL: http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird
Summary: mail-client/mozilla-thunderbird: 1.0.8 fixes several vuln's, included code execution (CVE-2006-0748)
Keywords:
Status Whiteboard: A2 [tempglsa stable+ alpha] Falco
Opened: 2006-04-22 14:02 0000