Bug 158571 - mail-client/mozilla-thunderbird(-bin) <1.5.0.9 - multiple vulnerabilities
|
Bug#:
158571
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: geekypenguin@gmail.com
|
|
Component: Vulnerabilities
|
|
|
URL:
|
|
Summary: mail-client/mozilla-thunderbird(-bin) <1.5.0.9 - multiple vulnerabilities
|
|
Keywords:
|
|
Status Whiteboard: A2 [glsa] Falco
|
|
Opened: 2006-12-19 11:50 0000
|
MFSA 2006-74 Mail header processing heap overflows
MFSA 2006-73 Mozilla SVG Processing Remote Code Execution
MFSA 2006-72 XSS by setting img.src to javascript: URI
MFSA 2006-71 LiveConnect crash finalizing JS objects
MFSA 2006-70 Privilege escallation using watch point
MFSA 2006-69 CSS cursor image buffer overflow (Windows only)
MFSA 2006-68 Crashes with evidence of memory corruption (rv:1.8.0.9/1.8.1.1)
Both Thunderbird source and bin are in the tree already :)
We can go ahead with the security move on this one. everything less then
1.5.0.9 is effected also.
Feel free to add the archs.
cc'ing arches per Anarchy's request.
In x86, bin version:
Emerges and works fine.
Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4,
2.6.18-gentoo-r4 i686)
=================================================================
System uname: 2.6.18-gentoo-r4 i686 AMD Athlon(tm) Processor
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 09:50:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python: 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: [Not Present]
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.60
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe
-fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon-tbird -mtune=athlon-tbird -O2 -pipe
-fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig collision-protect distlocks metadata-transfer sandbox
sfperms strict"
GENTOO_MIRRORS="ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ "
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j2"
PKGDIR="/tmp/lea/var/tmp/binpkgs"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/layman/sunrise"
SYNC="rsync://rsync.belnet.be/packages/gentoo-portage"
USE="x86 X bitmap-fonts bzip2 cairo cdr cli cracklib crypt dbus dlloader dri
dvd dvdr eds elibc_glibc emboss encode fam firefox fortran gif gnome gpm
gstreamer gtk hal iconv input_devices_evdev input_devices_keyboard
input_devices_mouse isdnlog jpeg kde kernel_linux ldap libg++ mad mikmod mp3
mpeg ncurses nptl nptlonly ogg opengl pam pcre perl png ppds pppd python qt3
qt4 quicktime readline reflection sdl session spell spl ssl tcpd truetype
truetype-fonts type1-fonts udev unicode userland_GNU video_cards_vesa vorbis
win32codecs xml xorg xv zlib"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LDFLAGS, LINGUAS,
PORTAGE_RSYNC_EXTRA_OPTS
adding missing arch (unless i'm wrong)
Hint: x86 & amd64, don't forget -bin
mail-client/mozilla-thunderbird-bin-1.5.0.9
1. emerges on x86, please note:
>>> Unpacking mozilla-thunderbird-1.5.0.9-de.xpi to /var/tmp/portage/mozilla-thunderbird-bin-1.5.0.9/work
unpack mozilla-thunderbird-1.5.0.9-de.xpi: file format not recognized.
Ignoring.
>>> Unpacking mozilla-thunderbird-1.5.0.9-en-GB.xpi to /var/tmp/portage/mozilla-thunderbird-bin-1.5.0.9/work
unpack mozilla-thunderbird-1.5.0.9-en-GB.xpi: file format not recognized.
Ignoring.
/usr/portage/mail-client/mozilla-thunderbird-bin/mozilla-thunderbird-bin-1.5.0.9.ebuild:
line 88: xpi_unpack: command not found
/usr/portage/mail-client/mozilla-thunderbird-bin/mozilla-thunderbird-bin-1.5.0.9.ebuild:
line 88: xpi_unpack: command not found
and
>>> Install mozilla-thunderbird-bin-1.5.0.9 into /var/tmp/portage/mozilla-thunderbird-bin-1.5.0.9/image/ category mail-client
/usr/portage/mail-client/mozilla-thunderbird-bin/mozilla-thunderbird-bin-1.5.0.9.ebuild:
line 101: xpi_install: command not found
/usr/portage/mail-client/mozilla-thunderbird-bin/mozilla-thunderbird-bin-1.5.0.9.ebuild:
line 101: xpi_install: command not found
2. passes collision test
3. works
mail-client/mozilla-thunderbird-1.5.0.9 USE="crypt gnome ipv6 ldap xinerama
xprint -debug -moznopango"
1. emerges on x86, similar failure about unpacking .xpi:
unpack mozilla-thunderbird-1.5.0.9-de.xpi: file format not recognized.
Ignoring.
2. passes collision test
3. works
Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4,
2.6.18.5 i686)
=================================================================
System uname: 2.6.18.5 i686 AMD Athlon(TM) XP1800+
Gentoo Base System version 1.12.6
Last Sync: Wed, 20 Dec 2006 18:30:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python: 2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: 2.3
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.60
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openjms/config /usr/kde/3.5/env
/usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb
/usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=i686 -fomit-frame-pointer -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig ccache collision-protect distlocks fixpackages
metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv
usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LANG="en_GB.utf8"
LINGUAS="en de en_GB"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/normal"
SYNC="rsync://192.168.2.1/gentoo-portage"
USE="x86 3dnow 3dnowext X a52 aac acpi alsa apache2 bash-completion berkdb
bitmap-fonts bzip2 cairo cdr cli cracklib crypt css cups dbus divx4linux
dlloader dri dts dvd dvdr dvdread elibc_glibc emboss exif fam ffmpeg firefox
font-server fortran gdbm gif gnome gphoto2 gpm gstreamer gtk gtk2 gtkhtml hal
iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde
kernel_linux ldap libclamav libg++ linguas_de linguas_en linguas_en_GB
logitech-mouse mad mikmod mmx mmxext mono mozcalendar mozdevelop mozsvg mp3
mpeg ncurses network nls nptl nptlonly nvidia oav ogg opengl oss pam pcre perl
png ppds pppd python qt qt3 qt4 quicktime readline reflection samba sdl
seamonkey session spell spl ssl tcltk tcpd test tetex tiff truetype
truetype-fonts type1-fonts udev unicode usb userland_GNU vcd video_cards_none
video_cards_nv vorbis win32codecs xine xinerama xml xorg xorg-x11 xprint xv xvg
xvid zlib"
Unset: CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, MAKEOPTS,
PORTAGE_RSYNC_EXTRA_OPTS
mozextension is missing from the inherit ... this is being fixed and will
resolve the problems for xpi_*. Sorry for the inconvience.
thunderbird-bin-1.5.0.9 is fixed in the tree x86 and amd64 please go ahead with
stablizing it.
=mail-client/mozilla-thunderbird-1.5.0.9 seems to work on amd64, I will test
-bin later tonight.
emerge --info:
Portage 2.1.1-r2 (default-linux/amd64/2006.1/desktop, gcc-3.4.6, glibc-2.4-r4,
2.6.19-gentoo-r2 x86_64)
=================================================================
System uname: 2.6.19-gentoo-r2 x86_64 Intel(R) Core(TM)2 CPU T7200 @
2.00GHz
Gentoo Base System version 1.12.6
Last Sync: Sun, 24 Dec 2006 20:00:01 +0000
distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632)
[disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python: 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache: [Not Present]
dev-util/confcache: [Not Present]
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.13, 2.60
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /lib/modules /usr/kde/3.5/env /usr/kde/3.5/share/config
/usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -pipe -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks metadata-transfer multilib-strict prelink
sandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.datapipe.net/gentoo"
LINGUAS="en en_US"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X a52 aac acpi aiglx alsa alsa_cards_hda-intel
alsa_pcm_plugins_adpcm alsa_pcm_plugins_alaw alsa_pcm_plugins_asym
alsa_pcm_plugins_copy alsa_pcm_plugins_dmix alsa_pcm_plugins_dshare
alsa_pcm_plugins_dsnoop alsa_pcm_plugins_empty alsa_pcm_plugins_extplug
alsa_pcm_plugins_file alsa_pcm_plugins_hooks alsa_pcm_plugins_iec958
alsa_pcm_plugins_ioplug alsa_pcm_plugins_ladspa alsa_pcm_plugins_lfloat
alsa_pcm_plugins_linear alsa_pcm_plugins_meter alsa_pcm_plugins_mulaw
alsa_pcm_plugins_multi alsa_pcm_plugins_null alsa_pcm_plugins_plug
alsa_pcm_plugins_rate alsa_pcm_plugins_route alsa_pcm_plugins_share
alsa_pcm_plugins_shm alsa_pcm_plugins_softvol arts berkdb bitmap-fonts cairo
cdda cddb cdinstall cdr cli cracklib crypt cups dbus dlloader dri dvd dvdr eds
elibc_glibc emboss encode esd exif fam firefox flac fortran gdbm gif gnome gpm
gstreamer gtk gtk2 hal iconv input_devices_evdev input_devices_keyboard
input_devices_mouse input_devices_synaptics ipv6 isdnlog jack java5 jce jikes
jpeg kde kernel_linux ldap libg++ linguas_en linguas_en_US lirc
lirc_devices_streamzap mad mikmod mp3 mpeg ncurses nls nptl nptlonly ogg opengl
pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection sdl
session spell spl srvdir ssl symlink tcpd theora truetype truetype-fonts
type1-fonts udev unicode userland_GNU video_cards_i810 video_cards_i945
video_cards_vesa vorbis x264 xml xorg xv xvid zlib"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
PORTAGE_RSYNC_EXTRA_OPTS
I also tested mozilla-thunderbird-bin, and it appears to work as well. (emerge
--info is the same as before.)
amd64 love applied, thanks Thomas :-)
Stable on Alpha and IA64.
