Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 307045 - <mail-client/mozilla-thunderbird{,-bin}-3.0.3: Multiple vulnerabilities (CVE-2009-{1571,3979,3980,3981,3982},CVE-2010-{0159,0167,0169,0171})
Summary: <mail-client/mozilla-thunderbird{,-bin}-3.0.3: Multiple vulnerabilities (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozillamessaging.com/en-US...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-02-27 07:49 UTC by Arseny Solokha
Modified: 2013-01-08 01:03 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arseny Solokha 2010-02-27 07:49:57 UTC
Mozilla Thunderbird 3.0.2 released on February 25, 2010. Follow URL for release notes and complete list of closed bug entries.
This release fixes two Mozilla Security Advisories marked as critical: http://www.mozilla.org/security/announce/2010/mfsa2010-01.html and http://www.mozilla.org/security/announce/2010/mfsa2010-03.html.

Reproducible: Always

Steps to Reproduce:
Comment 1 Sven 2010-03-02 13:58:31 UTC
3.0.3 is out
Comment 2 Arseny Solokha 2010-03-02 14:16:52 UTC
(In reply to comment #1)
> 3.0.3 is out

Fixes critical regression since 3.0.2.
Comment 3 Jory A. Pratt gentoo-dev 2010-03-04 14:33:45 UTC
tb-3.0.3 tb-bin-3.0.3 are in the tree, will also require sqlite-3.6.22-r2 be made stable along with enigmail-1.0.1-r1. Security team feel free to bring in the archs.
Comment 4 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-04 15:38:53 UTC
Arches, please test and mark stable:
=mail-client/mozilla-thunderbird-3.0.3
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"

Arches, please test and mark stable:
=mail-client/mozilla-thunderbird-bin-3.0.3
Target keywords : "amd64 x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-04 15:51:24 UTC
(In reply to comment #3)
> tb-3.0.3 tb-bin-3.0.3 are in the tree, will also require sqlite-3.6.22-r2 be
> made stable along with enigmail-1.0.1-r1. Security team feel free to bring in
> the archs.

 Is SQLite good to go, too?
Comment 6 Jory A. Pratt gentoo-dev 2010-03-04 22:58:00 UTC
(In reply to comment #5)
> (In reply to comment #3)
> > tb-3.0.3 tb-bin-3.0.3 are in the tree, will also require sqlite-3.6.22-r2 be
> > made stable along with enigmail-1.0.1-r1. Security team feel free to bring in
> > the archs.
> 
>  Is SQLite good to go, too?
> 

I have done spoken with betelgeuse and he said there was nothing to prevent it when we were ready.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2010-03-05 12:23:40 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2010-03-07 19:23:17 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-03-08 19:42:33 UTC
ppc64 done
Comment 10 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 21:45:20 UTC
Marked ppc stable.
Comment 11 Jack Morgan (RETIRED) gentoo-dev 2010-03-11 05:13:19 UTC
stable on sparc:

Portage 2.2_rc65 (default/linux/sparc/10.0/desktop, gcc-4.3.4, glibc-2.11-r1, 2.6.33-gentoo sparc64)
=================================================================
System uname: Linux-2.6.33-gentoo-sparc64-sun4u-with-gentoo-2.0.1
Timestamp of tree: Sun, 07 Mar 2010 19:15:01 +0000
ccache version 2.4 [enabled]
app-shells/bash:     4.1_p2
dev-lang/python:     2.6.4-r1, 3.1.1-r1
dev-util/ccache:     2.4-r8
dev-util/cmake:      2.8.0-r2
sys-apps/baselayout: 2.0.1
sys-apps/openrc:     0.6.0-r1
sys-apps/sandbox:    2.2
sys-devel/autoconf:  2.13, 2.65
sys-devel/automake:  1.8.5-r3, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils:  2.20-r1
sys-devel/gcc:       4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.32
ACCEPT_KEYWORDS="sparc ~sparc"
ACCEPT_LICENSE="* -@EULA"
CBUILD="sparc-unknown-linux-gnu"
CFLAGS="-O2 -mcpu=ultrasparc -pipe"
CHOST="sparc-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -mcpu=ultrasparc -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests buildpkg ccache collision-protect distlocks fixpackages getbinpkg news parallel-fetch preserve-libs protect-owned sandbox sfperms strict test unmerge-logs unmerge-orphans userfetch"
GENTOO_MIRRORS="ftp://dev.bonyari.local"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://dev.bonyari.local/gentoo-portage"
USE="X a52 aac acl alsa berkdb branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo fam firefox flac fortran gcc64 gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 jpeg kde ldap libnotify mad mikmod mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3support qt4 quicktime readline redland reflection sdl session sparc spell spl sql sqlite sqlite3 ssl startup-notification svg sysfs tcpd thunar tiff truetype unicode usb virtuoso vorbis webkit x264 xml xorg xulrunner xv xvid zlib" ALSA_CARDS="sun-cs4231" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev mach64"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2010-03-14 19:24:17 UTC
alpha/ia64/sparc stable
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 15:53:05 UTC
CVE-2009-1571 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1571):
  Use-after-free vulnerability in the HTML parser in Mozilla Firefox
  3.0.x before 3.0.18 and 3.5.x before 3.5.8, Thunderbird before 3.0.2,
  and SeaMonkey before 2.0.3 allows remote attackers to execute
  arbitrary code via unspecified method calls that attempt to access
  freed objects in low-memory situations.

Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:05:51 UTC
CVE-2009-3979 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3979):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 3.0.16 and 3.5.x before 3.5.6, SeaMonkey before 2.0.1,
  and Thunderbird allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.

Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:19:36 UTC
CVE-2009-3980 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3980):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and Thunderbird
  allow remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.

Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:44:51 UTC
CVE-2009-3981 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3981):
  Unspecified vulnerability in the browser engine in Mozilla Firefox
  before 3.0.16, SeaMonkey before 2.0.1, and Thunderbird allows remote
  attackers to cause a denial of service (memory corruption and
  application crash) or possibly execute arbitrary code via unknown
  vectors.

CVE-2009-3982 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3982):
  Multiple unspecified vulnerabilities in the JavaScript engine in
  Mozilla Firefox 3.5.x before 3.5.6, SeaMonkey before 2.0.1, and
  Thunderbird allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute
  arbitrary code via unknown vectors.

Comment 17 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:51:21 UTC
CVE-2010-0159 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0159):
  The browser engine in Mozilla Firefox 3.0.x before 3.0.18 and 3.5.x
  before 3.5.8, Thunderbird before 3.0.2, and SeaMonkey before 2.0.3
  allows remote attackers to cause a denial of service (memory
  corruption and application crash) or possibly execute arbitrary code
  via vectors related to the nsBlockFrame::StealFrame function in
  layout/generic/nsBlockFrame.cpp, and unspecified other vectors.

Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:59:45 UTC
CVE-2010-0167 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0167):
  The browser engine in Mozilla Firefox 3.0.x before 3.0.18, 3.5.x
  before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2; and
  SeaMonkey before 2.0.3 allows remote attackers to cause a denial of
  service (memory corruption and application crash) and possibly
  execute arbitrary code via vectors related to (1)
  layout/generic/nsBlockFrame.cpp and (2) the _evaluate function in
  modules/plugin/base/src/nsNPAPIPlugin.cpp.

Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 17:05:22 UTC
CVE-2010-0169 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0169):
  The CSSLoaderImpl::DoSheetComplete function in
  layout/style/nsCSSLoader.cpp in Mozilla Firefox 3.0.x before 3.0.18,
  3.5.x before 3.5.8, and 3.6.x before 3.6.2; Thunderbird before 3.0.2;
  and SeaMonkey before 2.0.3 changes the case of certain strings in a
  stylesheet before adding this stylesheet to the XUL cache, which
  might allow remote attackers to modify the browser's font and other
  CSS attributes, and potentially disrupt rendering of a web page, by
  forcing the browser to perform this erroneous stylesheet caching.

CVE-2010-0171 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0171):
  Mozilla Firefox 3.0.x before 3.0.18, 3.5.x before 3.5.8, and 3.6.x
  before 3.6.2; Thunderbird before 3.0.2; and SeaMonkey before 2.0.3
  allow remote attackers to perform cross-origin keystroke capture, and
  possibly conduct cross-site scripting (XSS) attacks, by using the
  addEventListener and setTimeout functions in conjunction with a
  wrapped object.  NOTE: this vulnerability exists because of an
  incomplete fix for CVE-2007-3736.

Comment 20 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:36 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 21 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:20:27 UTC
Added to existing GLSA request.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:43 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).