CVE-2017-7847: Local path string can be leaked from RSS feed
Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name.
CVE-2017-7848: RSS Feed vulnerable to new line Injection
RSS fields can inject new lines into the created email structure, modifying the message body.
CVE-2017-7829: Mailsploit part 1: From address with encoded null character is cut off in message header display
It is possible to spoof the sender's email address and display an arbitrary sender address to the email recipient. The real sender's address is not displayed if preceded by a null character in the display string.
Ebuild is in the repo.
I've just stabilized for amd64 after my own testing against regressions in the last 2 days. CC'd Arch Teams, please stabilize.
ppc / ppc64 Arch Teams, please let me know if we should drop stable keywords from thunderbird; so far none of the 52.x series has been stabilized yet.
The bug has been referenced in the following commit(s):
Author: Ian Stakenvicius <firstname.lastname@example.org>
AuthorDate: 2018-01-08 16:36:56 +0000
Commit: Ian Stakenvicius <email@example.com>
CommitDate: 2018-01-08 16:37:22 +0000
mail-client/thunderbird: stabilize for amd64, security bug 643842
Stabilized by maintainer
Package-Manager: Portage-2.3.13, Repoman-2.3.3
mail-client/thunderbird/thunderbird-52.5.2.ebuild | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)}
mail-client/thunderbird-bin-52.5.2 has been pushed directly to stable by maintainers.
Superseded by bug 645820. Please continue in bug 645820.
This issue was resolved and addressed in
GLSA 201803-14 at https://security.gentoo.org/glsa/201803-14
by GLSA coordinator Aaron Bauman (b-man).