Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 312649 - <www-client/seamonkey-1.1.19 Multiple vulnerabilities (CVE-2009-3385,CVE-2010-0163)
Summary: <www-client/seamonkey-1.1.19 Multiple vulnerabilities (CVE-2009-3385,CVE-2010...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 314009 324735
Blocks:
  Show dependency tree
 
Reported: 2010-04-01 15:58 UTC by Alex Legler (RETIRED)
Modified: 2014-06-01 13:33 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 15:58:05 UTC
CVE-2009-3385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3385):
  The mail component in Mozilla SeaMonkey before 1.1.19 does not
  properly restrict execution of scriptable plugin content, which
  allows user-assisted remote attackers to obtain sensitive information
  via crafted content in an IFRAME element in an HTML e-mail message,
  as demonstrated by a Flash object that sends arbitrary local files
  during a reply or forward operation.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-04-01 16:56:39 UTC
CVE-2010-0163 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0163):
  Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19
  process e-mail attachments with a parser that performs casts and line
  termination incorrectly, which allows remote attackers to cause a
  denial of service (application crash) or possibly execute arbitrary
  code via a crafted message, related to message indexing.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2010-07-17 11:59:51 UTC
seamonkey-1 is no longer in the tree...
Comment 3 Nirbheek Chauhan (RETIRED) gentoo-dev 2010-09-16 13:36:43 UTC
Nothing for mozilla team to do here, none of the affected versions/packages are in-tree anymore.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2014-06-01 13:33:10 UTC
This one seemed to have missed the big Mozilla GLSA 201301-01. Users have already been advised to update: no GLSA will be issued for this bug.