Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 120485
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Rob M. <thehandoftyr@gmail.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 120485 depends on: Show dependency tree
Bug 120485 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-01-26 16:32 0000 
Note: This is only confirmed on Windows 1.0.2,.1.0.6, and 1.0.7, but I believe
Mandriva has issued a patch... so it may affect Linux as well

in Mozilla Thunderbird <= 1.0.7, file attachment names and icons may be spoofed
via false Content-Type: headers and file extensions.

this is probably not severe, but it may be possible to have GUI users save
malware-attachements on their Desktop that are valid desktop launcher files for
GNOME or KDE... which would allow executing arbitrary existing commands with
the priviledge of the user when clicked, including the obligatory 'rm -rf *'.

Resolution: upgrade to 1.5, find specific-version patches for older versions?
(Mandriva has them for 1.0.6)

Credits: Andreas Sanblad, Secunia Research

------- Comment #1 From Sune Kloppenborg Jeppesen 2006-02-06 12:28:21 0000 ------- 
Mozilla please advise.

------- Comment #2 From Thierry Carrez (RETIRED) 2006-02-11 13:51:03 0000 ------- 
mozilla team, please advise if stabling 1.5 is an option here...

------- Comment #3 From Jory A. Pratt 2006-02-11 15:23:42 0000 ------- 
1.5 can be stablized use -r1 if you wish to stablize right now please. I will
get enigmail-0.94.0 in tree in a day or so should stablize it at same time.

------- Comment #4 From Jory A. Pratt 2006-02-11 16:03:03 0000 ------- 
enigmail-0.94.0 is the tree, If you wish to mark 1.5-r1 stable do not forget to
stabilize enigmail.

------- Comment #5 From Thierry Carrez (RETIRED) 2006-02-12 10:59:25 0000 ------- 
This is https://bugzilla.mozilla.org/show_bug.cgi?id=300246
Apparently too late for 1.0.8

I'd prefer not to rush 1.5 stable just for such a lame vulnerability

------- Comment #6 From Raphael Marichez 2006-06-11 12:01:15 0000 ------- 
(In reply to comment #5)
> This is https://bugzilla.mozilla.org/show_bug.cgi?id=300246
> Apparently too late for 1.0.8
> 
> I'd prefer not to rush 1.5 stable just for such a lame vulnerability
> 


This last comment is now obsolete since the 1.5 branch is the only maintained
branch now.
Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
affected by several vulnerabilities.
I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

------- Comment #7 From Raphael Marichez 2006-06-13 12:57:49 0000 ------- 
> Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
> keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
> affected by several vulnerabilities.
> I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

Alpha can't stabilize the 1.5 branch (see bug 130888 and bug 128777). We can
close this bug. (noglsa, was already corrected some weeks ago)

------- Comment #8 From Thierry Carrez (RETIRED) 2006-07-03 12:45:25 0000 ------- 
Closing as fixed in 1.5-line.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug