| Summary: | mail-client/mozilla-thunderbird (-bin) < 2.0.0.9 Memory management vulnerabilities (CVE-2007-{5339,5340}) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | mozilla |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/27313/ | ||
| Whiteboard: | A2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 199299 | ||
Mozilla, please advise. Should we bump the package ourselves? The patches are available without a lot of hassle. In general we should bump packages if maintainers don't respond in a timely manner. Though we should try to poke them on IRC at least beforehand. (In reply to comment #3) > In general we should bump packages if maintainers don't respond in a timely > manner. Though we should try to poke them on IRC at least beforehand. Seems I wasn't clear enough. I meant we (Gentoo's mozilla herd) should bump it since Mozilla upstream did not release yet. Oh, I'm confusing roles here. I won't stand in the way of the herd bumping it's package:) Where are the patches? (In reply to comment #6) > Where are the patches? Debian ships some for 1.5 which are pretty much undocumented because of the embargo. Ubuntu released a "pre" snapshot. In light of the other regressions you mentioned we should probably wait for upstream. In CVS To be done: mail-client/mozilla-thunderbird-2.0.0.9 x11-plugins/enigmail-0.95.3-r1 mail-client/mozilla-thunderbird-bin-2.0.0.9 Arches, please test and mark stable mail-client/mozilla-thunderbird-2.0.0.9. Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86" x11-plugins/enigmail-0.95.5-r1. Target keywords : "alpha amd64 ia64 mips ppc ppc64 sparc x86" mail-client/mozilla-thunderbird-bin-2.0.0.9: Target keywords : "amd64 x86" compiled and seems to work fine (still testing):
genlop -t mozilla-thunderbird
* mail-client/mozilla-thunderbird
Thu Nov 15 21:17:42 2007 >>> mail-client/mozilla-thunderbird-2.0.0.9
merge time: 18 minutes and 44 seconds.
Portage 2.1.3.19 (default-linux/amd64/2007.0, gcc-4.2.2, glibc-2.7-r0, 2.6.23-kamikaze5-amd64 x86_64)
=================================================================
System uname: 2.6.23-kamikaze5-amd64 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz
Timestamp of tree: Thu, 15 Nov 2007 19:30:01 +0000
app-shells/bash: 3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.2-r1
dev-lang/python: 2.4.4-r6
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 2.0.0_rc6
sys-apps/sandbox: 1.2.18.1-r2
sys-devel/autoconf: 2.13, 2.61-r1
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils: 2.16.1-r3, 2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool: 1.5.24
virtual/os-headers: 2.6.22-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
CBUILD="x86_64-pc-linux-gnu"
x86 stable amd64 stable alpha/ia64/sparc stable i said enigmail-0.95.3-r1, but .5 is fine as well :) ppc64 stable ppc stable GLSA 200711-24 |
Secunia: Some vulnerabilities have been reported in Mozilla Thunderbird, which potentially can be exploited by malicious people to compromise a user's system. 1) Various errors in the browser engine can be exploited to cause a memory corruption. 2) Various errors in the Javascript engine can be exploited to cause a memory corruption. Successful exploitation of these vulnerabilities may allow execution of arbitrary code. Fixed in Thunderbird 2.0.0.8