Bug 196481 - mail-client/mozilla-thunderbird (-bin) < 2.0.0.9 Memory management vulnerabilities (CVE-2007-{5339,5340})
|
Bug#:
196481
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: major
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: rbu@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/27313/
|
|
Summary: mail-client/mozilla-thunderbird (-bin) < 2.0.0.9 Memory management vulnerabilities (CVE-2007-{5339,5340})
|
|
Keywords:
|
|
Status Whiteboard: A2 [glsa]
|
|
Opened: 2007-10-20 02:22 0000
|
Secunia:
Some vulnerabilities have been reported in Mozilla Thunderbird,
which potentially can be exploited by malicious people to compromise
a user's system.
1) Various errors in the browser engine can be exploited to cause
a memory corruption.
2) Various errors in the Javascript engine can be exploited to cause
a memory corruption.
Successful exploitation of these vulnerabilities may allow execution
of arbitrary code.
Fixed in Thunderbird 2.0.0.8
Should we bump the package ourselves? The patches are available without a lot
of hassle.
In general we should bump packages if maintainers don't respond in a timely
manner. Though we should try to poke them on IRC at least beforehand.
(In reply to comment #3)
> In general we should bump packages if maintainers don't respond in a timely
> manner. Though we should try to poke them on IRC at least beforehand.
Seems I wasn't clear enough. I meant we (Gentoo's mozilla herd) should bump it
since Mozilla upstream did not release yet.
Oh, I'm confusing roles here. I won't stand in the way of the herd bumping it's
package:)
(In reply to comment #6)
> Where are the patches?
Debian ships some for 1.5 which are pretty much undocumented because of the
embargo. Ubuntu released a "pre" snapshot. In light of the other regressions
you mentioned we should probably wait for upstream.
In CVS
To be done:
mail-client/mozilla-thunderbird-2.0.0.9
x11-plugins/enigmail-0.95.3-r1
mail-client/mozilla-thunderbird-bin-2.0.0.9
Arches, please test and mark stable mail-client/mozilla-thunderbird-2.0.0.9.
Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86"
x11-plugins/enigmail-0.95.5-r1.
Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86"
mail-client/mozilla-thunderbird-bin-2.0.0.9:
Target keywords : "amd64 x86"
compiled and seems to work fine (still testing):
genlop -t mozilla-thunderbird
* mail-client/mozilla-thunderbird
Thu Nov 15 21:17:42 2007 >>> mail-client/mozilla-thunderbird-2.0.0.9
merge time: 18 minutes and 44 seconds.
Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.2.2, glibc-2.7-r0,
2.6.23-kamikaze5-amd64 x86_64)
=================================================================
System uname: 2.6.23-kamikaze5-amd64 x86_64 Intel(R) Core(TM)2 CPU 6600 @
2.40GHz
Timestamp of tree: Thu, 15 Nov 2007 19:30:01 +0000
app-shells/bash: 3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.2-r1
dev-lang/python: 2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 2.0.0_rc6
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3, 2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.22-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
alpha/ia64/sparc stable
i said enigmail-0.95.3-r1, but .5 is fine as well :)
