Note: This is only confirmed on Windows 1.0.2,.1.0.6, and 1.0.7, but I believe Mandriva has issued a patch... so it may affect Linux as well in Mozilla Thunderbird <= 1.0.7, file attachment names and icons may be spoofed via false Content-Type: headers and file extensions. this is probably not severe, but it may be possible to have GUI users save malware-attachements on their Desktop that are valid desktop launcher files for GNOME or KDE... which would allow executing arbitrary existing commands with the priviledge of the user when clicked, including the obligatory 'rm -rf *'. Resolution: upgrade to 1.5, find specific-version patches for older versions? (Mandriva has them for 1.0.6) Credits: Andreas Sanblad, Secunia Research
Mozilla please advise.
mozilla team, please advise if stabling 1.5 is an option here...
1.5 can be stablized use -r1 if you wish to stablize right now please. I will get enigmail-0.94.0 in tree in a day or so should stablize it at same time.
enigmail-0.94.0 is the tree, If you wish to mark 1.5-r1 stable do not forget to stabilize enigmail.
This is https://bugzilla.mozilla.org/show_bug.cgi?id=300246 Apparently too late for 1.0.8 I'd prefer not to rush 1.5 stable just for such a lame vulnerability
(In reply to comment #5) > This is https://bugzilla.mozilla.org/show_bug.cgi?id=300246 > Apparently too late for 1.0.8 > > I'd prefer not to rush 1.5 stable just for such a lame vulnerability > This last comment is now obsolete since the 1.5 branch is the only maintained branch now. Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is affected by several vulnerabilities. I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.
> Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to > keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is > affected by several vulnerabilities. > I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256. Alpha can't stabilize the 1.5 branch (see bug 130888 and bug 128777). We can close this bug. (noglsa, was already corrected some weeks ago)
Closing as fixed in 1.5-line.