Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 313003 - <mail-client/mozilla-thunderbird-3.0.4: Multiple Vulnerabilities (CVE-2010-{0173,0182})
Summary: <mail-client/mozilla-thunderbird-3.0.4: Multiple Vulnerabilities (CVE-2010-{0...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/security/known...
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-03 17:53 UTC by 7v5w7go9ub0o
Modified: 2013-01-08 01:04 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description 7v5w7go9ub0o 2010-04-03 17:53:15 UTC
security and routine updates

Reproducible: Always
Comment 1 Sebastian Pipping gentoo-dev 2010-04-04 22:09:12 UTC
Bug report QA messages:

 * Please use full package qualifiers
   (e.g. "sys-apps/portage", not just "portage")
   in bug report titles, at the beginning ideally,
   in the future.  Thank you!
Comment 2 Jory A. Pratt gentoo-dev 2010-04-08 02:28:26 UTC
Fixed in Thunderbird 3.0.4
MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
Comment 3 Jory A. Pratt gentoo-dev 2010-04-08 04:27:55 UTC
Security team please feel free to bring in the archs, All archs please ensure you mark enigmail-1.0.1-r3 stable at same time.
Comment 4 Tomás Touceda (RETIRED) gentoo-dev 2010-04-08 13:15:15 UTC
Arches, please test and mark stable:
=mail-client/mozilla-thunderbird-3.0.4
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-04-08 13:22:29 UTC
Everyone, sorry about the bugspam, I'm training our latest recruit.
Comment 6 Sven 2010-04-08 14:27:42 UTC
(In reply to comment #4)
> Arches, please test and mark stable:
> =mail-client/mozilla-thunderbird-3.0.4

I would like to remark, that spell checking doesn't work for me (amd64).
I'm trying to use myspell-dictionaries. FireFox finds them, Thunderbird 3.0.4 doesn't.
Comment 7 Jory A. Pratt gentoo-dev 2010-04-08 15:20:10 UTC
(In reply to comment #6)
> (In reply to comment #4)
> > Arches, please test and mark stable:
> > =mail-client/mozilla-thunderbird-3.0.4
> 
> I would like to remark, that spell checking doesn't work for me (amd64).
> I'm trying to use myspell-dictionaries. FireFox finds them, Thunderbird 3.0.4
> doesn't.
> 

Open up a seperate bug report with that info and please provide me with an strace from startup to close.
Comment 8 Thomas Kahle (RETIRED) gentoo-dev 2010-04-10 19:42:01 UTC
Testing on x86: Everything fine for me.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2010-04-12 19:37:39 UTC
ppc64 done
Comment 10 Brent Baude (RETIRED) gentoo-dev 2010-04-12 20:30:58 UTC
ppc done
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2010-04-14 12:14:53 UTC
stable x86, thanks Thomas
Comment 12 Thomas Kahle (RETIRED) gentoo-dev 2010-04-15 05:43:27 UTC
(In reply to comment #3)
> Security team please feel free to bring in the archs, All archs please ensure
> you mark enigmail-1.0.1-r3 stable at same time.

Readding x86 as enigmail is not stabled yet.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2010-04-15 07:27:20 UTC
I did -bin and enigmail.  Please note ALL packages to be stabilised in the cc message.
Comment 14 Markus Meier gentoo-dev 2010-04-18 11:52:03 UTC
amd64 stable
Comment 15 Raúl Porcel (RETIRED) gentoo-dev 2010-04-23 19:07:51 UTC
alpha/ia64/sparc stable
Comment 16 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:48 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 17 Tim Sammut (RETIRED) gentoo-dev 2010-11-20 23:13:33 UTC
Bug added to existing Mozilla GLSA request.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-07-21 14:37:50 UTC
CVE-2010-0182 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0182):
  The XMLDocument::load function in Mozilla Firefox before 3.5.9 and 3.6.x
  before 3.6.2, Thunderbird before 3.0.4, and SeaMonkey before 2.0.4 does not
  perform the expected nsIContentPolicy checks during loading of content by
  XML documents, which allows attackers to bypass intended access restrictions
  via crafted content.

CVE-2010-0173 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0173):
  Multiple unspecified vulnerabilities in the browser engine in Mozilla
  Firefox before 3.5.9 and 3.6.x before 3.6.2, Thunderbird before 3.0.4, and
  SeaMonkey before 2.0.4 allow remote attackers to cause a denial of service
  (memory corruption and application crash) or possibly execute arbitrary code
  via unknown vectors.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:04:12 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).