Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135256 - mail-client/mozilla-thunderbird[-bin]: <= multiple vulns including code execution
Summary: mail-client/mozilla-thunderbird[-bin]: <= multiple vulns including cod...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa] Falco
: 135284 (view as bug list)
Depends on:
Reported: 2006-06-02 04:42 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-10-15 04:34 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-02 04:42:17 UTC

Multiple vulnerabilities have been reported in Thunderbird, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response smuggling attacks, and potentially compromise a user's system.

For more information, see vulnerabilities #1, #2, #3, #5, #6, #7, and #9 in:
( = bug 135254 )

Successful exploitation of some of the vulnerabilities requires that JavaScript is enabled (not enabled by default).

The following vulnerability has also been reported:

The vulnerability is caused due to a double-free error within the processing of large VCards with invalid base64 characters. This may be exploited to execute arbitrary code.

Update to version

Provided and/or discovered by:
Masatoshi Kimura

Original Advisory:

Other References:
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-02 04:42:56 UTC
Moz team, please provide ebuilds, thanks in advance.
Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-02 04:55:30 UTC
The list of the vulns against thunderbird are :

MFSA 2006-42  Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

1.0.8 may be also affected, but not patched yet.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-06-02 09:15:50 UTC
*** Bug 135284 has been marked as a duplicate of this bug. ***
Comment 4 Jory A. Pratt 2006-06-02 16:59:04 UTC
When you all are ready call archs for stable enigmail-0.94.0-r4 stable and that should cover source builds.

Do not forget to have amd64 and x86 mark binary stable as well. 
Comment 5 Jory A. Pratt 2006-06-02 19:57:50 UTC are in the tree mark it stable there will be no 1.0.x release with fixes unless we are to backport them ourselves. amd64 and x86 do not forget to mark -bin as well.
Comment 6 Jory A. Pratt 2006-06-02 20:07:42 UTC
source is stable on amd64, someone else in herd please handle -bin. When marking source stable please mark enigmail-0.94.0-r4 stable as well, only difference between the revisions is the thunderbird we use to build enigmail, do not need to introduce a security flaw to enigmail now.
Comment 7 nixnut (RETIRED) gentoo-dev 2006-06-03 05:20:56 UTC
Stable on ppc.
Comment 8 Mark Loeser (RETIRED) gentoo-dev 2006-06-03 22:26:21 UTC
x86 done
Comment 9 Gustavo Zacarias (RETIRED) gentoo-dev 2006-06-06 10:07:24 UTC
sparc stable.
Comment 10 frilled 2006-06-07 15:06:29 UTC
For GLSA's sake: Does anybody know whether these bugs affect only HTML view? Can users workaround by setting "View" -> "Message Body As" -> "Plain Text"?
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-09 23:47:26 UTC
amd64 please test and mark stable.
Comment 12 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 11:57:06 UTC
Alpha team, please stabilize too if possible, since you still provide the 1.0.7 ebuild which is affected by bug 120485.
Comment 13 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 12:04:58 UTC
(In reply to comment #12)
> Alpha team, please stabilize too if possible, since you still provide
> the 1.0.7 ebuild which is affected by bug 120485.

and by bug 130888 too.

Comment 14 Thomas Cort (RETIRED) gentoo-dev 2006-06-11 12:19:05 UTC
(In reply to comment #12)
> Alpha team, please stabilize too if possible, since you still provide
> the 1.0.7 ebuild which is affected by bug 120485.

We don't provide 1.0.7, it is masked by profiles/default-linux/alpha/package.mask.   As for keywording 1.5, we are still having problems, see Bug #131359. I'll take a look at later today. I'm removing alpha@g.o from CC since we don't provide any affected versions. Re-add us if you need anything else.
Comment 15 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 14:34:44 UTC
> We don't provide 1.0.7, it is masked by
> profiles/default-linux/alpha/package.mask.

OK, thank you, i missed that.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-13 14:25:45 UTC
amd64 please act or advise on what's wrong
Comment 17 AJ Armstrong 2006-06-14 09:05:17 UTC
I'm an amd64 AT.  Will test today and get someone to mark stable if is passes.
Comment 18 AJ Armstrong 2006-06-14 09:11:36 UTC
Correction to my last - my system is currently ~amd64, so not good for stabilizing this.  Will corner someone on #g-amd64-dev today or do it in a chroot.
Comment 19 Patrick McLean gentoo-dev 2006-06-14 09:21:56 UTC
Anarchy already stabilized these on amd64, 10 days ago. I guess he just forgot to update the bug, anyway removing amd64 from the CC.
Comment 20 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-18 03:01:12 UTC
so i guess this one is ready for glsa; sorry for the delay
Comment 21 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-19 09:24:05 UTC
GLSA 200606-21