109094 – mail-client/mozilla-thunderbird{-bin}: does 1.0.7 fixes vulnerabilities ?

Bug 109094 - mail-client/mozilla-thunderbird{-bin}: does 1.0.7 fixes vulnerabilities ?

Summary: mail-client/mozilla-thunderbird{-bin}: does 1.0.7 fixes vulnerabilities ?

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High major
Assignee:	Gentoo Security

URL:	http://www.mozilla.org/projects/secur...
Whiteboard:	A2? [noglsa] koon
Keywords:

Depends on:
Blocks:

Reported:	2005-10-13 00:56 UTC by Thierry Carrez (RETIRED)
Modified:	2005-10-18 05:38 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thierry Carrez (RETIRED) gentoo-dev

2005-10-13 00:56:06 UTC

Thunderbird might be vulnerable to more than just the Mozilla Foundation says
(it might be vuylnerable to much of the recent Firefox issues). At least
Madriva, RedHat and Ubuntu are quite convinced of this.

I asked for details, opening a bug do keep track of the issue.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2005-10-13 01:05:36 UTC

Testing and marking those stable preventively might be a good idea :

mozilla-thunderbird Target KEYWORDS="alpha amd64 ia64 ppc sparc x86"
mozilla-thunderbird-bin Target KEYWORDS="amd64 x86"

Comment 2 Gustavo Zacarias (RETIRED) gentoo-dev

2005-10-13 11:21:15 UTC

sparc stable.

Comment 3 Paul Varner (RETIRED) gentoo-dev

2005-10-13 14:46:49 UTC

Stable on x86

Comment 4 Homer Parker (RETIRED) gentoo-dev

2005-10-13 18:58:03 UTC

mozilla-thunderbird ok on amd64

Comment 5 Michael Sawczuk 2005-10-13 23:04:36 UTC

(In reply to comment #4)
> mozilla-thunderbird ok on amd64

Shouldn't thunderbird-bin also be marked stable on AMD64?

Comment 6 Thierry Carrez (RETIRED) gentoo-dev

2005-10-14 00:31:49 UTC

(In reply to comment #5)
> 
> Shouldn't thunderbird-bin also be marked stable on AMD64?

Yes it should.

Comment 7 Simon Stelling (RETIRED) gentoo-dev

2005-10-14 01:40:19 UTC

-bin stable too on amd64

Comment 8 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev

2005-10-15 06:44:11 UTC

Alpha Stable ( 1.0.7 )

BTW, ia64 seems to be done and keyworded by agriffis (please Aron, CC'ed ia64
again if needed).

Comment 9 Joe Jezak (RETIRED) gentoo-dev

2005-10-15 13:19:08 UTC

Marked ppc stable.

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2005-10-16 02:02:07 UTC

Ready for GLSA, waiting for more information about vulnerability of TB.

Comment 11 Thierry Carrez (RETIRED) gentoo-dev

2005-10-18 05:38:05 UTC

Here is the results of our ivestigation, thanks to Josh Bressers of RedHat :

- The XBM image decoder issue does not affect Thunderbird.
- The zero-width non-joiner sequences can just be used to crash TB
- The other flaws need Javascript (off in Thunderbird)

So I'll close this one as WORKSFORME. Feel free to reopen if you disagree.