[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060726082523.GG5161@piware.de>
Date: Wed, 26 Jul 2006 10:25:23 +0200
From: Martin Pitt <martin.pitt@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-297-3] Thunderbird vulnerabilities
===========================================================
Ubuntu Security Notice USN-297-3 July 26, 2006
mozilla-thunderbird vulnerabilities
CVE-2006-2775, CVE-2006-2776, CVE-2006-2778, CVE-2006-2779,
CVE-2006-2780, CVE-2006-2781, CVE-2006-2783, CVE-2006-2784,
CVE-2006-2787
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 5.04
Ubuntu 5.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 5.04:
mozilla-thunderbird 1.0.8-0ubuntu05.04.1
Ubuntu 5.10:
mozilla-thunderbird 1.0.8-0ubuntu05.10.2
After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.
Details follow:
USN-297-1 fixed several vulnerabilities in Thunderbird for the Ubuntu
6.06 LTS release. This update provides the corresponding fixes for
Ubuntu 5.04 and Ubuntu 5.10.
For reference, these are the details of the original USN:
Jonas Sicking discovered that under some circumstances persisted XUL
attributes are associated with the wrong URL. A malicious web site
could exploit this to execute arbitrary code with the privileges of
the user. (MFSA 2006-35, CVE-2006-2775)
Paul Nickerson discovered that content-defined setters on an object
prototype were getting called by privileged UI code. It was
demonstrated that this could be exploited to run arbitrary web
script with full user privileges (MFSA 2006-37, CVE-2006-2776).
Mikolaj Habryn discovered a buffer overflow in the crypto.signText()
function. By sending an email with malicious JavaScript to an user,
and that user enabled JavaScript in Thunderbird (which is not the
default and not recommended), this could potentially be exploited to
execute arbitrary code with the user's privileges. (MFSA 2006-38,
CVE-2006-2778)
The Mozilla developer team discovered several bugs that lead to
crashes with memory corruption. These might be exploitable by
malicious web sites to execute arbitrary code with the privileges of
the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780)
Masatoshi Kimura discovered a memory corruption (double-free) when
processing a large VCard with invalid base64 characters in it. By
sending a maliciously crafted set of VCards to a user, this could
potentially be exploited to execute arbitrary code with the user's
privileges. (MFSA 2006-40, CVE-2006-2781)
Masatoshi Kimura found a way to bypass web input sanitizers which
filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)'
characters into the HTML code (e. g. '<scr[BOM]ipt>'), these filters
might not recognize the tags anymore; however, Thunderbird would
still execute them since BOM markers are filtered out before
processing a mail containing JavaScript. (MFSA 2006-42,
CVE-2006-2783)
Kazuho Oku discovered various ways to perform HTTP response
smuggling when used with certain proxy servers. Due to different
interpretation of nonstandard HTTP headers in Thunderbird and the
proxy server, a malicious HTML email can exploit this to send back
two responses to one request. The second response could be used to
steal login cookies or other sensitive data from another opened web
site. (MFSA 2006-33, CVE-2006-2786)
It was discovered that JavaScript run via EvalInSandbox() can escape
the sandbox. Malicious scripts received in emails containing
JavaScript could use these privileges to execute arbitrary code with
the user's privileges. (MFSA 2006-31, CVE-2006-2787)
Updated packages for Ubuntu 5.04:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1.diff.gz
Size/MD5: 98300 a4dffa1705bd280224188e7bbc7781dd
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1.dsc
Size/MD5: 946 7eebd4d62af685dd0ce74d5ff741c92c
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8.orig.tar.gz
Size/MD5: 32849510 ae345f1b722d8f3a977af4fd358d27b0
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.04.1_amd64.deb
Size/MD5: 3347854 519c296b742dc6e6d5c308b0b6c5a433
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.04.1_amd64.deb
Size/MD5: 145244 9a8d5c4ade62afdb187022df1b188099
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.04.1_amd64.deb
Size/MD5: 27718 aa28f71d2133d0810bbf166d86c68dc7
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.04.1_amd64.deb
Size/MD5: 82728 55ede40f0e71d287cfabe73492b3a71a
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1_amd64.deb
Size/MD5: 11959242 c6acc1fa0785193f037fb35a14f7505e
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.04.1_i386.deb
Size/MD5: 3341642 18916c1156df514eb6b538ec63737a8d
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.04.1_i386.deb
Size/MD5: 140326 b2f8c499a4b160e6131d2fb2278e54b5
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.04.1_i386.deb
Size/MD5: 27724 6bab59d8db842eee01a411c256b64cd8
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.04.1_i386.deb
Size/MD5: 80468 114885d918a10761414adafc506be2e5
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1_i386.deb
Size/MD5: 10911294 67ab1c44fe9a3d164e0c79755365e2bf
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.04.1_powerpc.deb
Size/MD5: 3337162 85e96f1fe254dc69170d3fc814110cd2
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.04.1_powerpc.deb
Size/MD5: 139122 0ac4864a4c69045c43b37aad80f3336d
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.04.1_powerpc.deb
Size/MD5: 27732 b4103fcdfef1107966f21b8a857dc01f
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.04.1_powerpc.deb
Size/MD5: 74682 8f14928b2be37c12e205be1389749e0d
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.04.1_powerpc.deb
Size/MD5: 10453746 f728c125a4ccf1d556ffd9cc39539055
Updated packages for Ubuntu 5.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.10.2.diff.gz
Size/MD5: 100417 c3f0f93e338ff900b5ccec2515d0c43b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.10.2.dsc
Size/MD5: 919 5945fce5d3140112099d74b56537666b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8.orig.tar.gz
Size/MD5: 32849510 ae345f1b722d8f3a977af4fd358d27b0
amd64 architecture (Athlon64, Opteron, EM64T Xeon)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.10.2_amd64.deb
Size/MD5: 3294738 7340b5b39e4954d5c6284e04229e6632
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.10.2_amd64.deb
Size/MD5: 146796 030b130217cd4b0cec9fd2e0c5239a0d
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.10.2_amd64.deb
Size/MD5: 28266 11631a9ac55712b21a03470fe424e480
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.10.2_amd64.deb
Size/MD5: 86278 4059ff0cb8da24cbd92d72accd3f2d67
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.10.2_amd64.deb
Size/MD5: 11977184 6d77be91b8c0e9b06cf0cec0c8483998
i386 architecture (x86 compatible Intel/AMD)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.10.2_i386.deb
Size/MD5: 3288954 2ced47739fac731f7347e497492df79e
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.10.2_i386.deb
Size/MD5: 140348 f8b1ccb61ef81ba4b583f10369b82aee
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.10.2_i386.deb
Size/MD5: 28262 ed05e4d9845d11e42062acd9d79e3a3b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.10.2_i386.deb
Size/MD5: 77656 586525c74b61275a49b3f91a549c31b4
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.10.2_i386.deb
Size/MD5: 10380218 64dc49a7e9e75326164ca589aad327f1
powerpc architecture (Apple Macintosh G3/G4/G5)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.10.2_powerpc.deb
Size/MD5: 3286824 49338b4f633089ec3119f8a341992751
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.10.2_powerpc.deb
Size/MD5: 140438 401fc8d07b433ac4d71a9a37c9f086a7
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.10.2_powerpc.deb
Size/MD5: 28272 900eb236bc7e85f4d99177f12d0084f4
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.10.2_powerpc.deb
Size/MD5: 77364 c7b1e38a5d83594885bbeb987b477865
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.10.2_powerpc.deb
Size/MD5: 10489086 b2665fa914781ad11bf4e826c5825a1a
sparc architecture (Sun SPARC/UltraSPARC)
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.8-0ubuntu05.10.2_sparc.deb
Size/MD5: 3286920 dd3b7e55abd608360b81e0db14b4376f
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.8-0ubuntu05.10.2_sparc.deb
Size/MD5: 138920 2709c330b93517f8dfa3676ee1f2aa92
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.8-0ubuntu05.10.2_sparc.deb
Size/MD5: 28268 feba2248d1093bed5fa21f463a8ea3a0
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.8-0ubuntu05.10.2_sparc.deb
Size/MD5: 75314 d609546dfa5ff12c5e5c4a0e33efbf34
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.8-0ubuntu05.10.2_sparc.deb
Size/MD5: 10165076 b9aaeb254fb107435156f01d70b64e9e
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists