lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Oct  7 04:06:08 2005
From: security at (Mandriva Security Team)
Subject: MDKSA-2005:174 - Updated mozilla-thunderbird
	packages fix multiple vulnerabilities

Hash: SHA1


                Mandriva Linux Security Update Advisory

 Package name:           mozilla-thunderbird
 Advisory ID:            MDKSA-2005:174
 Date:                   October 6th, 2005

 Affected versions:	 10.2, 2006.0

 Problem Description:

 Updated Mozilla Thunderbird packages fix various vulnerabilities:
 The script, with debugging enabled, would allow local
 users to create or overwrite arbitrary files via a symlink attack on
 temporary files (CAN-2005-2353).
 A bug in the way Thunderbird processes XBM images could be used to
 execute arbitrary code via a specially crafted XBM image file
 A bug in the way Thunderbird handles certain Unicode sequences could be
 used to execute arbitrary code via viewing a specially crafted Unicode
 sequence (CAN-2005-2702).
 A bug in the way Thunderbird makes XMLHttp requests could be abused by
 a malicious web page to exploit other proxy or server flaws from the
 victim's machine; however, the default behaviour of the browser is to
 disallow this (CAN-2005-2703).
 A bug in the way Thunderbird implemented its XBL interface could be
 abused by a malicious web page to create an XBL binding in such a way
 as to allow arbitrary JavaScript execution with chrome permissions
 An integer overflow in Thunderbird's JavaScript engine could be
 manipulated in certain conditions to allow a malicious web page to
 execute arbitrary code (CAN-2005-2705).
 A bug in the way Thunderbird displays about: pages could be used to
 execute JavaScript with chrome privileges (CAN-2005-2706).
 A bug in the way Thunderbird opens new windows could be used by a
 malicious web page to construct a new window without any user interface
 elements (such as address bar and status bar) that could be used to
 potentially mislead the user (CAN-2005-2707).
 A bug in the way Thunderbird proceesed URLs on the command line could
 be used to execute arbitary commands as the user running Thunderbird;
 this could be abused by clicking on a supplied link, such as from an
 instant messaging client (CAN-2005-2968).
 Tom Ferris reported that Thunderbird would crash when processing a
 domain name consisting solely of soft-hyphen characters due to a heap
 overflow when IDN processing results in an empty string after removing
 non-wrapping chracters, such as soft-hyphens.  This could be exploited
 to run or or install malware on the user's computer (CAN-2005-2871).
 The updated packages have been patched to correct these issues.


 Updated Packages:
 Mandrivalinux 10.2:
 f409c24fe8d4f732a99fff51f9223191  10.2/RPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.i586.rpm
 18250e4ac4d580a595eaeb16fd3b0171  10.2/RPMS/mozilla-thunderbird-devel-1.0.2-5.1.102mdk.i586.rpm
 cbfb90b65746b4fbc0848ddbd01395bf  10.2/RPMS/mozilla-thunderbird-enigmail-1.0.2-5.1.102mdk.i586.rpm
 aa450bd7d1b82425eeef6506f90f5fb4  10.2/RPMS/mozilla-thunderbird-enigmime-1.0.2-5.1.102mdk.i586.rpm
 5320178037176424f209415c3862d014  10.2/SRPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.src.rpm

 Mandrivalinux 10.2/X86_64:
 07fa1df593b92831b9f6d1a32b0b3362  x86_64/10.2/RPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.x86_64.rpm
 ca26795c32146dd1ace798189588029f  x86_64/10.2/RPMS/mozilla-thunderbird-devel-1.0.2-5.1.102mdk.x86_64.rpm
 7757608ffe4e89d285bc001bdc8851cb  x86_64/10.2/RPMS/mozilla-thunderbird-enigmail-1.0.2-5.1.102mdk.x86_64.rpm
 8c386f18a449d78d3917dca387624933  x86_64/10.2/RPMS/mozilla-thunderbird-enigmime-1.0.2-5.1.102mdk.x86_64.rpm
 5320178037176424f209415c3862d014  x86_64/10.2/SRPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.src.rpm

 Mandrivalinux 2006.0:
 af3330f345b3b92307550a57fb7efa80  2006.0/RPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.i586.rpm
 9ad77bad0b6c6033e063ed21a8a2cb0b  2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.1.20060mdk.i586.rpm
 141909e4e4676c0c8a5525a3e3eb921d  2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.1.20060mdk.i586.rpm
 b1db5880eb9ac8792a2f25e547343607  2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.src.rpm

 Mandrivalinux 2006.0/X86_64:
 b7e7527e98969ff677e2caf013a84ab7  x86_64/2006.0/RPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.x86_64.rpm
 87ca5eace6c6823cda7efac54ffe5945  x86_64/2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.1.20060mdk.x86_64.rpm
 8305e439803991791ca1aff020877274  x86_64/2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.1.20060mdk.x86_64.rpm
 b1db5880eb9ac8792a2f25e547343607  x86_64/2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.src.rpm

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver 0x22458A98

 You can view other update advisories for Mandriva Linux at:

 If you want to report vulnerabilities, please contact


 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team

Version: GnuPG v1.2.4 (GNU/Linux)


Powered by blists - more mailing lists