Summary: | <mail-client/thunderbird{,-bin}-52.5.2: multiple vulnerabilities (CVE-2017-{7829,7846,7847,7848}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | mozilla |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/ | ||
Whiteboard: | B2 [glsa+ cve blocked] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 645820 | ||
Bug Blocks: |
Description
GLSAMaker/CVETool Bot
2018-01-08 00:08:24 UTC
CVE-2017-7846: JavaScript Execution via RSS in mailbox:// origin Impact high Description It is possible to execute JavaScript in the parsed RSS feed when RSS feed is viewed as a website, e.g. via “View -> Feed article -> Website” or in the standard format of “View -> Feed article -> default format”. References CVE-2017-7847: Local path string can be leaked from RSS feed Impact high Description Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. References CVE-2017-7848: RSS Feed vulnerable to new line Injection Impact moderate Description RSS fields can inject new lines into the created email structure, modifying the message body. References CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display Impact low Description It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string. Ebuild is in the repo. I've just stabilized for amd64 after my own testing against regressions in the last 2 days. CC'd Arch Teams, please stabilize. ppc / ppc64 Arch Teams, please let me know if we should drop stable keywords from thunderbird; so far none of the 52.x series has been stabilized yet. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=85e9451778f05981d17ad82c4054e569bf634daf commit 85e9451778f05981d17ad82c4054e569bf634daf Author: Ian Stakenvicius <axs@gentoo.org> AuthorDate: 2018-01-08 16:36:56 +0000 Commit: Ian Stakenvicius <axs@gentoo.org> CommitDate: 2018-01-08 16:37:22 +0000 mail-client/thunderbird: stabilize for amd64, security bug 643842 Stabilized by maintainer Bug: http://bugs.gentoo.org/643842 Package-Manager: Portage-2.3.13, Repoman-2.3.3 mail-client/thunderbird/thunderbird-52.5.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)} mail-client/thunderbird-bin-52.5.2 has been pushed directly to stable by maintainers. x86 stable ppc stable Superseded by bug 645820. Please continue in bug 645820. This issue was resolved and addressed in GLSA 201803-14 at https://security.gentoo.org/glsa/201803-14 by GLSA coordinator Aaron Bauman (b-man). |