Gentoo Archives: gentoo-announce

From: Raphael Marichez <falco@g.o>
To: gentoo-announce@g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200612-06 ] Mozilla Thunderbird: Multiple vulnerabilities
Date: Sun, 10 Dec 2006 19:21:49
Message-Id: 20061210185858.GI16201@falco.falcal.net
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200612-06
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: Mozilla Thunderbird: Multiple vulnerabilities
9 Date: December 10, 2006
10 Bugs: #154448
11 ID: 200612-06
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been identified in Mozilla Thunderbird.
19
20 Background
21 ==========
22
23 Mozilla Thunderbird is a popular open-source email client from the
24 Mozilla Project.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 mozilla-thunderbird < 1.5.0.8 >= 1.5.0.8
33 2 mozilla-thunderbird-bin < 1.5.0.8 >= 1.5.0.8
34 -------------------------------------------------------------------
35 2 affected packages on all of their supported architectures.
36 -------------------------------------------------------------------
37
38 Description
39 ===========
40
41 It has been identified that Mozilla Thunderbird improperly handles
42 Script objects while they are being executed, allowing them to be
43 modified during execution. JavaScript is disabled in Mozilla
44 Thunderbird by default. Mozilla Thunderbird has also been found to be
45 vulnerable to various potential buffer overflows. Lastly, the binary
46 release of Mozilla Thunderbird is vulnerable to a low exponent RSA
47 signature forgery issue because it is bundled with a vulnerable version
48 of NSS.
49
50 Impact
51 ======
52
53 An attacker could entice a user to view a specially crafted email that
54 causes a buffer overflow and again executes arbitrary code or causes a
55 Denial of Service. An attacker could also entice a user to view an
56 email containing specially crafted JavaScript and execute arbitrary
57 code with the rights of the user running Mozilla Thunderbird. It is
58 important to note that JavaScript is off by default in Mozilla
59 Thunderbird, and enabling it is strongly discouraged. It is also
60 possible for an attacker to create SSL/TLS or email certificates that
61 would not be detected as invalid by the binary release of Mozilla
62 Thunderbird, raising the possibility for Man-in-the-Middle attacks.
63
64 Workaround
65 ==========
66
67 There is no known workaround at this time.
68
69 Resolution
70 ==========
71
72 Users upgrading to the following releases of Mozilla Thunderbird should
73 note that this version of Mozilla Thunderbird has been found to not
74 display certain messages in some cases.
75
76 </br>
77
78 </br> All Mozilla Thunderbird users should upgrade to the latest
79 version:
80
81 # emerge --sync
82 # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.8"
83
84 All Mozilla Thunderbird binary release users should upgrade to the
85 latest version:
86
87 # emerge --sync
88 # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.8"
89
90 References
91 ==========
92
93 [ 1 ] CVE-2006-5462
94 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5462
95 [ 2 ] CVE-2006-5463
96 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5463
97 [ 3 ] CVE-2006-5464
98 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5464
99 [ 4 ] CVE-2006-5747
100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5747
101 [ 5 ] CVE-2006-5748
102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5748
103 [ 6 ] Mozilla Thunderbird Email Loss Bug
104 https://bugzilla.mozilla.org/show_bug.cgi?id=360409
105
106 Availability
107 ============
108
109 This GLSA and any updates to it are available for viewing at
110 the Gentoo Security Website:
111
112 http://security.gentoo.org/glsa/glsa-200612-06.xml
113
114 Concerns?
115 =========
116
117 Security is a primary focus of Gentoo Linux and ensuring the
118 confidentiality and security of our users machines is of utmost
119 importance to us. Any security concerns should be addressed to
120 security@g.o or alternatively, you may file a bug at
121 http://bugs.gentoo.org.
122
123 License
124 =======
125
126 Copyright 2006 Gentoo Foundation, Inc; referenced text
127 belongs to its owner(s).
128
129 The contents of this document are licensed under the
130 Creative Commons - Attribution / Share Alike license.
131
132 http://creativecommons.org/licenses/by-sa/2.5