http://secunia.com/advisories/20382/ Description: Multiple vulnerabilities have been reported in Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system. For more information, see vulnerabilities #1, #2, #3, #5, #6, #7, and #9 in: SA20376 ( = bug 135254 ) Successful exploitation of some of the vulnerabilities requires that JavaScript is enabled (not enabled by default). The following vulnerability has also been reported: The vulnerability is caused due to a double-free error within the processing of large VCards with invalid base64 characters. This may be exploited to execute arbitrary code. Solution: Update to version 1.5.0.4. http://www.mozilla.com/thunderbird/ Provided and/or discovered by: Masatoshi Kimura Original Advisory: http://www.mozilla.org/security/announce/2006/mfsa2006-40.html Other References: SA20376: http://secunia.com/advisories/20376/
Moz team, please provide 1.5.0.4 ebuilds, thanks in advance.
The list of the vulns against thunderbird 1.5.0.3 are : MFSA 2006-42 Web site XSS using BOM on UTF-8 pages MFSA 2006-40 Double-free on malformed VCard MFSA 2006-38 Buffer overflow in crypto.signText() MFSA 2006-37 Remote compromise via content-defined setter on object prototypes MFSA 2006-35 Privilege escalation through XUL persist MFSA 2006-33 HTTP response smuggling MFSA 2006-32 Fixes for crashes with potential memory corruption MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey) http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird 1.0.8 may be also affected, but not patched yet.
*** Bug 135284 has been marked as a duplicate of this bug. ***
When you all are ready call archs for 1.5.0.4 stable enigmail-0.94.0-r4 stable and that should cover source builds. Do not forget to have amd64 and x86 mark 1.5.0.4 binary stable as well.
1.5.0.4 are in the tree mark it stable there will be no 1.0.x release with fixes unless we are to backport them ourselves. amd64 and x86 do not forget to mark -bin as well.
source is stable on amd64, someone else in herd please handle -bin. When marking source stable please mark enigmail-0.94.0-r4 stable as well, only difference between the revisions is the thunderbird we use to build enigmail, do not need to introduce a security flaw to enigmail now.
Stable on ppc.
x86 done
sparc stable.
For GLSA's sake: Does anybody know whether these bugs affect only HTML view? Can users workaround by setting "View" -> "Message Body As" -> "Plain Text"?
amd64 please test and mark stable.
Alpha team, please stabilize 1.5.0.4 too if possible, since you still provide the 1.0.7 ebuild which is affected by bug 120485.
(In reply to comment #12) > Alpha team, please stabilize 1.5.0.4 too if possible, since you still provide > the 1.0.7 ebuild which is affected by bug 120485. and by bug 130888 too.
(In reply to comment #12) > Alpha team, please stabilize 1.5.0.4 too if possible, since you still provide > the 1.0.7 ebuild which is affected by bug 120485. We don't provide 1.0.7, it is masked by profiles/default-linux/alpha/package.mask. As for keywording 1.5, we are still having problems, see Bug #131359. I'll take a look at 1.5.0.4 later today. I'm removing alpha@g.o from CC since we don't provide any affected versions. Re-add us if you need anything else.
> We don't provide 1.0.7, it is masked by > profiles/default-linux/alpha/package.mask. OK, thank you, i missed that.
amd64 please act or advise on what's wrong
I'm an amd64 AT. Will test today and get someone to mark stable if is passes.
Correction to my last - my system is currently ~amd64, so not good for stabilizing this. Will corner someone on #g-amd64-dev today or do it in a chroot.
Anarchy already stabilized these on amd64, 10 days ago. I guess he just forgot to update the bug, anyway removing amd64 from the CC.
so i guess this one is ready for glsa; sorry for the delay
GLSA 200606-21