120485 – mail-client/mozilla-thunderbird{-bin} <= 1.0.7 Attachment Spoofing

Bug 120485 - mail-client/mozilla-thunderbird{-bin} <= 1.0.7 Attachment Spoofing

Summary: mail-client/mozilla-thunderbird{-bin} <= 1.0.7 Attachment Spoofing

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/secunia_research/2...
Whiteboard:	A4 [noglsa] Koon
Keywords:

Depends on:
Blocks:

Reported:	2006-01-26 16:32 UTC by Rob M.
Modified:	2006-07-03 12:45 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rob M. 2006-01-26 16:32:15 UTC

Note: This is only confirmed on Windows 1.0.2,.1.0.6, and 1.0.7, but I believe Mandriva has issued a patch... so it may affect Linux as well

in Mozilla Thunderbird <= 1.0.7, file attachment names and icons may be spoofed via false Content-Type: headers and file extensions.

this is probably not severe, but it may be possible to have GUI users save malware-attachements on their Desktop that are valid desktop launcher files for GNOME or KDE... which would allow executing arbitrary existing commands with the priviledge of the user when clicked, including the obligatory 'rm -rf *'.

Resolution: upgrade to 1.5, find specific-version patches for older versions? (Mandriva has them for 1.0.6)

Credits: Andreas Sanblad, Secunia Research

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-02-06 12:28:21 UTC

Mozilla please advise.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-02-11 13:51:03 UTC

mozilla team, please advise if stabling 1.5 is an option here...

Comment 3 Jory A. Pratt 2006-02-11 15:23:42 UTC

1.5 can be stablized use -r1 if you wish to stablize right now please. I will get enigmail-0.94.0 in tree in a day or so should stablize it at same time.

Comment 4 Jory A. Pratt 2006-02-11 16:03:03 UTC

enigmail-0.94.0 is the tree, If you wish to mark 1.5-r1 stable do not forget to stabilize enigmail.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2006-02-12 10:59:25 UTC

This is https://bugzilla.mozilla.org/show_bug.cgi?id=300246
Apparently too late for 1.0.8

I'd prefer not to rush 1.5 stable just for such a lame vulnerability

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-11 12:01:15 UTC

(In reply to comment #5)
> This is https://bugzilla.mozilla.org/show_bug.cgi?id=300246
> Apparently too late for 1.0.8
> 
> I'd prefer not to rush 1.5 stable just for such a lame vulnerability
> 


This last comment is now obsolete since the 1.5 branch is the only maintained branch now.
Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is affected by several vulnerabilities.
I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-13 12:57:49 UTC

> Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
> keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
> affected by several vulnerabilities.
> I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

Alpha can't stabilize the 1.5 branch (see bug 130888 and bug 128777). We can close this bug. (noglsa, was already corrected some weeks ago)

Comment 8 Thierry Carrez (RETIRED) gentoo-dev

2006-07-03 12:45:25 UTC

Closing as fixed in 1.5-line.