lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070827060240.GP10512@outflux.net>
Date: Sun, 26 Aug 2007 23:02:40 -0700
From: Kees Cook <kees@...ntu.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-503-1] Thunderbird vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-503-1            August 24, 2007
mozilla-thunderbird vulnerabilities
CVE-2007-3670, CVE-2007-3734, CVE-2007-3735, CVE-2007-3844,
CVE-2007-3845
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mozilla-thunderbird             1.5.0.13-0ubuntu0.6.06

Ubuntu 6.10:
  mozilla-thunderbird             1.5.0.13-0ubuntu0.6.10

Ubuntu 7.04:
  mozilla-thunderbird             1.5.0.13-0ubuntu0.7.04

After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.

Details follow:

Various flaws were discovered in the layout and JavaScript engines. By
tricking a user into opening a malicious email, an attacker could execute
arbitrary code with the user's privileges. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable it.
(CVE-2007-3734, CVE-2007-3735, CVE-2007-3844)

Jesper Johansson discovered that spaces and double-quotes were
not correctly handled when launching external programs. In rare
configurations, after tricking a user into opening a malicious email,
an attacker could execute helpers with arbitrary arguments with the
user's privileges. (CVE-2007-3670, CVE-2007-3845)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.06.diff.gz
      Size/MD5:   455132 d8467a49fa9749a12d06330212cb0fa5
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.06.dsc
      Size/MD5:     1603 ec53fcdf9b56d3f3d46266c249ebd597
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13.orig.tar.gz
      Size/MD5: 36080566 62b37f8d4777f305146623d7437e3ccd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.06_amd64.deb
      Size/MD5:  3586642 2c36816d1f7a03ef145ce5d30e60d418
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.06_amd64.deb
      Size/MD5:   194370 cf8d5d4dfb807f09bddaa39c3787de7a
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.06_amd64.deb
      Size/MD5:    59612 752bdd32f219cbc227d5481d217dddcb
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.06_amd64.deb
      Size/MD5: 12095766 6a8064a3040e2ceba8d23d4215511503

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.06_i386.deb
      Size/MD5:  3578708 fa6953c372876d3475a57fe7698f0efb
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.06_i386.deb
      Size/MD5:   187744 53f0bec282e4901d673d4052b9cf76c0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.06_i386.deb
      Size/MD5:    55134 ccd78eca24e17b788416d06b5cd970b9
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.06_i386.deb
      Size/MD5: 10369278 597f681fcf328b6e17bb9ba00301b238

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.06_powerpc.deb
      Size/MD5:  3584414 956c1a25ec9285efb111ae8001c14fff
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.06_powerpc.deb
      Size/MD5:   191098 ebb6fa00a8ba29a16b45266b9be70822
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.06_powerpc.deb
      Size/MD5:    58742 8aae905e454ae490b27c1d35f717235a
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.06_powerpc.deb
      Size/MD5: 11650578 2cc2f06a14cf7c6b77d4f913ef57ac34

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.06_sparc.deb
      Size/MD5:  3580718 d5d9508759e3c19cd6b1c9a02ca91adc
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.06_sparc.deb
      Size/MD5:   188542 5a4ee0e188ef31a759ab183d833d4685
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.06_sparc.deb
      Size/MD5:    56626 3dbbd7cd060a11112a5fd1a7fd23cd35
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.06_sparc.deb
      Size/MD5: 10844686 de165e9bb539e3ae662676a4ca3029e7

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.10.diff.gz
      Size/MD5:   455992 38afdbcb0d339c8ee3b1cab8f33b6fa1
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.10.dsc
      Size/MD5:     1601 0a8019db6f355e5ccc2b5eb6a704a73f
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13.orig.tar.gz
      Size/MD5: 36080566 62b37f8d4777f305146623d7437e3ccd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.10_amd64.deb
      Size/MD5:  3586466 426017c63f2dc362c8c5a664b5a906b1
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.10_amd64.deb
      Size/MD5:   194496 4c7c6349b9829de611db2e8222f9150a
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.10_amd64.deb
      Size/MD5:    59626 f5d323ecafeae46ae34cac71706d99d5
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.10_amd64.deb
      Size/MD5: 12091050 61350cf3dc12e29dbac243fc9e911be5

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.10_i386.deb
      Size/MD5:  3582338 319eb753f7570f045e9de39795bf0646
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.10_i386.deb
      Size/MD5:   189152 687f5583b93df5db616ab8fe7f8eb3e8
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.10_i386.deb
      Size/MD5:    56258 6cfcdbb6d930e8a4f535fb5ca5d476f0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.10_i386.deb
      Size/MD5: 10829290 a3c2ca0abeccef3570fccacd3a05c60e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.10_powerpc.deb
      Size/MD5:  3584542 717064f808322f7ca11bc22551ee2127
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.10_powerpc.deb
      Size/MD5:   191580 3fd254e0d0ec073832e01af8db9656e7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.10_powerpc.deb
      Size/MD5:    59334 3f0c56850ed5f96888c3feffc75fd96b
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.10_powerpc.deb
      Size/MD5: 11779014 0b7e4785c95d1fd0b8c16bac50686349

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.6.10_sparc.deb
      Size/MD5:  3580676 e5ecded833e695d40fb0ae30b84ca685
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.6.10_sparc.deb
      Size/MD5:   188984 367b43b2719cf830d1a318de5315bf46
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.6.10_sparc.deb
      Size/MD5:    56682 46103432a77551215c77c935d08e6b42
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.6.10_sparc.deb
      Size/MD5: 11041104 984bf1c75968dd40149956254f94fabb

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.7.04.diff.gz
      Size/MD5:   126635 4c85da89acdf347587cfcfb3d9433304
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.7.04.dsc
      Size/MD5:     1601 d306cbba411cc32f7f579acfb559c9b0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13.orig.tar.gz
      Size/MD5: 36080566 62b37f8d4777f305146623d7437e3ccd

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.7.04_amd64.deb
      Size/MD5:  3587044 0780090e7e421d87ab8bcc5137d2922c
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.7.04_amd64.deb
      Size/MD5:   195006 415f02a983531cd65f0f15a895f1e0d0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.7.04_amd64.deb
      Size/MD5:    60144 74c446643a9674a3dd3c1a2f04861c8e
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.7.04_amd64.deb
      Size/MD5: 12187948 f85553218e76dbb5178358b2cf0b65d9

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.7.04_i386.deb
      Size/MD5:  3583270 7657f360e3b57b77d7955051e435175b
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.7.04_i386.deb
      Size/MD5:   189648 20ee57f83d22e2b39e4d0d9d71ac7065
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.7.04_i386.deb
      Size/MD5:    56760 58a55ba7a1f760ca76fd3b9142ab42a0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.7.04_i386.deb
      Size/MD5: 10916670 f13212b9d47949ed8b854348e14dfed2

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.7.04_powerpc.deb
      Size/MD5:  3587820 ece8b66570abedc631dd58b37b586ab7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.7.04_powerpc.deb
      Size/MD5:   193120 c472b0175bea62f0d228770c0ab9e261
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.7.04_powerpc.deb
      Size/MD5:    60128 71c1d1364c88ae38f43953e51b06a72f
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.7.04_powerpc.deb
      Size/MD5: 12131446 829c93637e9e61864e5303adb36a602f

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13-0ubuntu0.7.04_sparc.deb
      Size/MD5:  3582290 c14265f81e5fbc21022e0f91a6b12603
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13-0ubuntu0.7.04_sparc.deb
      Size/MD5:   189470 c47268c61b56f5bebf845d06585a9bfa
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13-0ubuntu0.7.04_sparc.deb
      Size/MD5:    57188 511ca6c3e342af386da76fab926f697f
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13-0ubuntu0.7.04_sparc.deb
      Size/MD5: 11143012 43b4637793f6994d92e8bdff215cb183


Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ