Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 130888 - mail-client/mozilla-thunderbird: 1.0.8 fixes several vuln's, included code execution (CVE-2006-0748)
Summary: mail-client/mozilla-thunderbird: 1.0.8 fixes several vuln's, included code ex...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://www.mozilla.org/projects/secur...
Whiteboard: A2 [tempglsa stable+ alpha] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-22 14:02 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-10-15 04:29 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-22 14:02:41 UTC
splitting #129924 in one bug per package for helping handling

http://www.mozilla.org/projects/security/known-vulnerabilities.html#Thunderbird

Fixed in Thunderbird 1.0.8
MFSA 2006-27 Table Rebuilding Code Execution Vulnerability
MFSA 2006-26 Mail Multiple Information Disclosure
MFSA 2006-25 Privilege escalation through Print Preview
MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
MFSA 2006-21 JavaScript execution in mail when forwarding in-line
MFSA 2006-19 Cross-site scripting using .valueOf.call()
MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
MFSA 2006-17 cross-site scripting through window.controllers
MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
MFSA 2006-14 Privilege escalation via XBL.method.eval
MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
MFSA 2006-10 JavaScript garbage-collection hazard audit
MFSA 2006-09 Cross-site JavaScript injection using event handlers
MFSA 2006-05 Localstore.rdf XML injection through XULDocument.persist()
MFSA 2006-01 JavaScript garbage-collection hazards
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-22 14:05:46 UTC
same as the moz-1.0.8 thing (#129924), moz team, please provide a new ebuild mail-client/mozilla-thunderbird-1.0.8
Comment 2 Jory A. Pratt 2006-04-22 20:54:19 UTC
Please keyword 1.5.0.2 were possible, ONLY keyword 1.0.8 for those who can NOT mark 1.5.0.2. AMD64 and X86 DO NOT forget -bin.
Comment 3 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-22 20:59:49 UTC
(bugzie forced a comment for some minor changes, so here is one to make it happy)
Comment 4 Jory A. Pratt 2006-04-22 21:01:27 UTC
If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not getting it in original post.
Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-23 00:22:44 UTC
(In reply to comment #4)
> If you keyword 1.5.0.2 please keyword enigmail-0.94.0-r2 as well sorry for not
> getting it in original post.

There's no enigmail-0.94.0-r2, I guess we can keyword enigmail-0.94.0-r1?
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-23 08:26:51 UTC
<@Anarchy> dertobi123, enigmail-0.94.0-r2 is in the tree I forgot to make the commit with all other commits and bumps I am working on

so, ppc stable :)
Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev 2006-04-24 12:53:24 UTC
sparc stable.
Comment 8 Alec Warner (RETIRED) archtester gentoo-dev Security 2006-04-26 07:02:48 UTC
moz-1.0.8 and moz-bin-1.0.8 stable on x86
Comment 9 Jory A. Pratt 2006-04-29 04:36:07 UTC
amd64 stable 1.5.0.2 !!
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 10:41:03 UTC
alpha team, aware ? something wrong ?
Comment 11 Fernando J. Pereda (RETIRED) gentoo-dev 2006-05-05 10:45:47 UTC
See the bug this one depends on :)

- ferdy
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-05 11:04:57 UTC
oh ok, sorry :)

it's worrying. Is #131359 progressing ? ETA ?
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2006-05-06 09:18:44 UTC
We'll probably have to publish the GLSA and say alpha is still affected, and update it when it gets fixed...
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2006-05-08 10:40:31 UTC
A temporary GLSA was sent : GLSA 200605-09
We'll update it once TB reaches stable on alpha
Comment 15 Thomas Cort (RETIRED) gentoo-dev 2006-06-02 06:00:57 UTC
(In reply to comment #12)
> it's worrying. Is #131359 progressing ? ETA ?

No progress or ETA, so I've masked =mail-client/mozilla-thunderbird-1.0.7* in profiles/default-linux/alpha/package.mask and dropped the ~alpha keyword from thunderbird-1.0.8 as it is badly broken on alpha (Bug #131359) and 1.5 doesn't compile (also Bug #131359).

BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-02 06:18:05 UTC
> BTW, I only see alpha in the "Status Whiteboard", but it looks ia64 needs to
> still mark 1.5.X or 1.0.8 stable. Re-add us if you need anything.
> 

contrary to the "supported" arches [1], ia64 is not obliged to stabilize the ebuilds concerning the security issues before we send a GLSA.


[1] http://www.gentoo.org/security/en/vulnerability-policy.xml , part 1, "Scope"
Comment 17 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 12:03:53 UTC
Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
affected by several vulnerabilities.
I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.
Comment 18 Thomas Cort (RETIRED) gentoo-dev 2006-06-13 11:40:38 UTC
(In reply to comment #17)
> Except for Alpha, every arch is fixed. Concerning Alpha, Alpha will have to
> keyword the 1.5 branch because 1.0 is not maintained anymore, and 1.0 is
> affected by several vulnerabilities.
> I suggest closing this bug as soon as Alpha stabilize 1.5.0.4 in bug 135256.

mozilla-thunderbird-1.5.0.4 is also broken on alpha. It uses ~100% of the CPU and the main window never comes up. This is similar to the problem we are having with firefox-1.5 on alpha, see Bug #128777. This bug can probably be closed since it isn't looking like we will be able to mark thunderbird-1.5 stable on alpha and alpha has all affected versions of thunderbird masked in profiles/default-linux/alpha/package.mask.

Output of `top`:

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 3593 tcort     20   0 33120  32m  23m R 93.2 10.4   9:52.85 thunderbird-bin
Comment 19 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 12:58:16 UTC
> mozilla-thunderbird-1.5.0.4 is also broken on alpha. 

OK, so you will have to let thunderbird masked :(

you're right, i can close this bug. Same for bug 120485.