[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080306213037.GB31014@severus.strandboge.com>
Date: Thu, 6 Mar 2008 16:30:37 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: [USN-582-2] Thunderbird vulnerabilities
===========================================================
Ubuntu Security Notice USN-582-2 March 06, 2008
mozilla-thunderbird
https://launchpad.net/bugs/197504
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1
Ubuntu 6.10:
mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1
Ubuntu 7.04:
mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1
After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.
Details follow:
USN-582-1 fixed several vulnerabilities in Thunderbird. The upstream
fixes were incomplete, and after performing certain actions Thunderbird
would crash due to memory errors. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that Thunderbird did not properly set the size of a
buffer when parsing an external-body MIME-type. If a user were to open
a specially crafted email, an attacker could cause a denial of service
via application crash or possibly execute arbitrary code as the user.
(CVE-2008-0304)
Various flaws were discovered in Thunderbird and its JavaScript
engine. By tricking a user into opening a malicious message, an
attacker could execute arbitrary code with the user's privileges.
(CVE-2008-0412, CVE-2008-0413)
Various flaws were discovered in the JavaScript engine. By tricking
a user into opening a malicious message, an attacker could escalate
privileges within Thunderbird, perform cross-site scripting attacks
and/or execute arbitrary code with the user's privileges. (CVE-2008-0415)
Gerry Eisenhaur discovered that the chrome URI scheme did not properly
guard against directory traversal. Under certain circumstances, an
attacker may be able to load files or steal session data. Ubuntu is not
vulnerable in the default installation. (CVE-2008-0418)
Flaws were discovered in the BMP decoder. By tricking a user into
opening a specially crafted BMP file, an attacker could obtain
sensitive information. (CVE-2008-0420)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1.diff.gz
Size/MD5: 457207 42edc049dc6a57799c7762fd69519cef
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1.dsc
Size/MD5: 1677 308921004b21abdec87e7193b1cc1855
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227.orig.tar.gz
Size/MD5: 38264877 4266e1ff163ed81a555a6198a8c2fc45
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 3592366 d46ea4d2567ef29fe2e29d7ea59ebe0f
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 194738 d64dc9355993ee4e732db61ab7d18142
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 59978 20504a6b397c381daaf6425c980241c9
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 12109986 e3f88ccf859f2cb0d4f5786ec84422f8
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
Size/MD5: 3585640 9a6fb88d3f7606c016694a56ac686c70
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
Size/MD5: 188106 7b9b14a14e97870b209b8917b05d6899
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
Size/MD5: 55474 7fb01df26f2bb75b34370b547a9d2e5b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
Size/MD5: 10382740 287d5666f26e2cbe9cedf80236967480
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 3591026 db402f32a02f27dd4a7e789da07e9667
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 191452 a879875dcd1075a9802e0a7cf5485ae6
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 59076 9d4f1e4f5b2df85487d5cd767e42ca79
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 11661424 445a2d6d7df3c4c7aa20dc0a6772a283
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 3587542 bc3561318d69fedc0f157ab5728a0545
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 188922 1a33f8b82f7dd1a6ec36a0fbfcf45894
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 56976 572056a18fb37c374f201ec398583b2d
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 10855430 e4c3f65d7dd305e7567a5820133563e6
Updated packages for Ubuntu 6.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1.diff.gz
Size/MD5: 458362 a07bff4dbd70a88e0590a5eaf474b071
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1.dsc
Size/MD5: 1677 a494c4c9b7dba82cfdd26b65618dacf7
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227.orig.tar.gz
Size/MD5: 38264877 4266e1ff163ed81a555a6198a8c2fc45
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 3592214 8deae5034786195f9df37595ef8f9c66
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 194874 429fdb58bdce69d5b64163679c6721ad
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 59988 c08085b641b26c1d11c81a3e2ea8a315
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
Size/MD5: 12102046 794b27b555370504f3c9d39d70fa0287
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
Size/MD5: 3589202 576af7e3d35db0291952f461b74f6bb0
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
Size/MD5: 189532 81740cf1a82437340ded3dbf8d9bc668
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
Size/MD5: 56622 051f5aa4a749078227550fe4d8771759
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
Size/MD5: 10842634 24a2f47129e13a115cb612ab7d6cf732
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 3591066 8b12a9ffcc2d9d38198c4bbd19b08b76
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 191980 dc997f5ea64b0ce5225c08f737d6fab4
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 59702 15afbb248986b685ef1f7ab59660e133
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
Size/MD5: 11792284 06f9647fb71deeee08d27451ecf38ae0
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 3587556 6f575f6e24c7e004c71c3746895288f3
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 189390 227d5419c43080baf5316d6186246bc1
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 57044 428a473e879f97fca358e49d363baa4c
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
Size/MD5: 11055900 f312edc01dbf038d5d4912e20bb2332e
Updated packages for Ubuntu 7.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1.diff.gz
Size/MD5: 128338 b8fd04ca331e279466c74ee642f37c9d
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1.dsc
Size/MD5: 1677 f3d40a99a1bd698eb8793b05593ef9a1
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227.orig.tar.gz
Size/MD5: 38264877 4266e1ff163ed81a555a6198a8c2fc45
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 3592572 cfd1788e37a527b5b421743a53ed6d4e
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 195362 1b39d27240963b06c8262159f65fecbb
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 60482 7cfbfd6ac8e1f90b80f862b8da007cb7
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
Size/MD5: 12200898 98d6cadd4934398397d7efac96e5dfa2
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
Size/MD5: 3589906 52715181859839e6da06ee1d11e23b5b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
Size/MD5: 190018 2b4f148d9e1a17759b53a06d9bf10890
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
Size/MD5: 57116 71d8d8d39964a3c1812f169f9c97c5be
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
Size/MD5: 10930196 0041f2ae1d9bb1cd903b928409b4b00e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 3593612 671ed2159590ee6b593c175d3264ae27
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 193502 00a290f2d5693deaaf563562bbce679c
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 60476 b652ff1af4528c671b58c72edae91af8
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
Size/MD5: 12143668 5ba802316344128bf11cab16fefa8d8d
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 3589116 d5ba04ed373c0d319707dd46f6451410
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 189836 7e1688245d345859a81b8985871b8016
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 57538 084b7c136c7de9b5c873a0ded7260ee0
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
Size/MD5: 11157146 15baa6c7a72ce11ca6131f999a99d5c5
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists