Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 282549

Summary: <mail-client/mozilla-thunderbird-2.0.0.23 Multiple vulnerabilities (CVE-2009-{2404,2408})
Product: Gentoo Security Reporter: Lars Lindley <lars.lindley>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: basic, dhp_gentoo, gentoo.bugs.10
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.23
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Lars Lindley 2009-08-24 10:42:17 UTC
From Heise online: "The Mozilla developers have announced the release of version 2.0.0.23 of their popular Thunderbird email client, addressing a vulnerability in the processing of SSL certificates. Previously, inserting a null character in a certificate could trick some applications into treating, for example, the certificate displayed on www.paypal.com\0.thoughtcrime.org as if it belonged to www.paypal.com."

Would be nice to get this in the tree.


Reproducible: Always
Comment 1 Lars Lindley 2009-08-24 20:18:13 UTC
Oops..Cut-and-paste error in the summary corrected
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-10 09:13:16 UTC
MFSA 2009-42 (CVE-2009-2408):
http://www.mozilla.org/security/announce/2009/mfsa2009-42.html

MFSA 2009-43 (CVE-2009-2404):
Moxie Marlinspike reported a heap overflow vulnerability in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. This code provided compatibility with the non-standard regular expression syntax historically supported by Netscape clients and servers. With version 3.5 Firefox switched to the more limited industry-standard wildcard syntax instead and is not vulnerable to this flaw. 
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-10 09:13:29 UTC
Mozilla: Can we go stable with .23?
Comment 4 Raúl Porcel (RETIRED) gentoo-dev 2009-09-10 18:05:32 UTC
yes
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-10 18:29:09 UTC
Arches, please test and mark stable:
=mail-client/mozilla-thunderbird-2.0.0.23
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-11 11:29:34 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-09-11 16:06:12 UTC
alpha/ia64/sparc stable
Comment 8 Markus Meier gentoo-dev 2009-09-11 20:06:07 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-09-12 16:22:39 UTC
ppc64 done
Comment 10 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-09-20 18:36:40 UTC
Now stable on ppc.
Security team, I let you close the bug.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2009-10-31 14:52:17 UTC
mail-client/mozilla-thunderbird-bin-2.0.0.23 is not stable for amd64 and x86
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-03 19:24:37 UTC
(In reply to comment #11)
> mail-client/mozilla-thunderbird-bin-2.0.0.23 is not stable for amd64 and x86

 Buy new glasses. :)

$ grep KEYWORDS *.ebuild
mozilla-thunderbird-1.5.0.14.ebuild:KEYWORDS="~mips"
mozilla-thunderbird-2.0.0.22.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
mozilla-thunderbird-2.0.0.23.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc x86 ~x86-fbsd"
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-11-03 19:38:00 UTC
(In reply to comment #12)
> (In reply to comment #11)
> > mail-client/mozilla-thunderbird-bin-2.0.0.23 is not stable for amd64 and x86
> 
>  Buy new glasses. :)
> 
> $ grep KEYWORDS *.ebuild
> mozilla-thunderbird-1.5.0.14.ebuild:KEYWORDS="~mips"
> mozilla-thunderbird-2.0.0.22.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc
> x86 ~x86-fbsd"
> mozilla-thunderbird-2.0.0.23.ebuild:KEYWORDS="alpha amd64 ia64 ppc ppc64 sparc
> x86 ~x86-fbsd"
> 

Nah, you should:

mozilla-thunderbird-bin-2.0.0.22.ebuild:KEYWORDS="-* amd64 x86"
mozilla-thunderbird-bin-2.0.0.23.ebuild:KEYWORDS="-* ~amd64 ~x86"
mozilla-thunderbird-bin-3.0_beta4.ebuild:KEYWORDS="-* ~amd64 ~x86"

Mega-OWNED!

Comment 14 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-03 19:50:27 UTC
x86 stable, my revenge will be on you...one day.
Comment 15 Markus Meier gentoo-dev 2009-11-04 11:22:11 UTC
amd64 stable, all arches done.
Comment 16 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-04 18:57:24 UTC
Re-rating A3.
No voting here, as the vulnerability is actually in <dev-libs/nss-3.12.3 (#280226) which is used by Firefox, Thunderbird, SeaMonkey, Evolution, Pidgin, and AOL Instant Messenger. IMHO voting should take place in 280226; if we decide on on yes there, all the packages will have a GLSA together.
Comment 17 DEMAINE Benoît-Pierre, aka DoubleHP 2010-03-26 15:14:32 UTC
uranus ~ # ls /usr/portage/mail-client/mozilla-thunderbird
ChangeLog  Manifest      mozilla-thunderbird-2.0.0.23.ebuild  mozilla-thunderbird-3.0.3-r1.ebuild
files      metadata.xml  mozilla-thunderbird-3.0.3.ebuild
uranus ~ #

No ebuild matches <mail-client/mozilla-thunderbird-2.0.0.23 any more. This bug does not make sens any more. Please close.
Comment 18 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:14 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 19 DEMAINE Benoît-Pierre, aka DoubleHP 2010-09-16 13:39:33 UTC
security team, please close this bug.
Comment 20 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-29 21:13:55 UTC
We will, when it's glsa handling is finished. For forther information, please consult
http://www.gentoo.org/security/en/vulnerability-policy.xml
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2013-01-08 01:03:29 UTC
This issue was resolved and addressed in
 GLSA 201301-01 at http://security.gentoo.org/glsa/glsa-201301-01.xml
by GLSA coordinator Sean Amoss (ackle).