lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20080306213037.GB31014@severus.strandboge.com>
Date: Thu, 6 Mar 2008 16:30:37 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: ubuntu-security-announce@...ts.ubuntu.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [USN-582-2] Thunderbird vulnerabilities

=========================================================== 
Ubuntu Security Notice USN-582-2             March 06, 2008
mozilla-thunderbird
https://launchpad.net/bugs/197504
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mozilla-thunderbird             1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1

Ubuntu 6.10:
  mozilla-thunderbird             1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1

Ubuntu 7.04:
  mozilla-thunderbird             1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1

After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.

Details follow:

USN-582-1 fixed several vulnerabilities in Thunderbird. The upstream
fixes were incomplete, and after performing certain actions Thunderbird
would crash due to memory errors. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that Thunderbird did not properly set the size of a
 buffer when parsing an external-body MIME-type. If a user were to open
 a specially crafted email, an attacker could cause a denial of service
 via application crash or possibly execute arbitrary code as the user.
 (CVE-2008-0304)
 
 Various flaws were discovered in Thunderbird and its JavaScript
 engine. By tricking a user into opening a malicious message, an
 attacker could execute arbitrary code with the user's privileges.
 (CVE-2008-0412, CVE-2008-0413)
 
 Various flaws were discovered in the JavaScript engine. By tricking
 a user into opening a malicious message, an attacker could escalate
 privileges within Thunderbird, perform cross-site scripting attacks
 and/or execute arbitrary code with the user's privileges. (CVE-2008-0415)
 
 Gerry Eisenhaur discovered that the chrome URI scheme did not properly
 guard against directory traversal. Under certain circumstances, an
 attacker may be able to load files or steal session data. Ubuntu is not
 vulnerable in the default installation. (CVE-2008-0418)
 
 Flaws were discovered in the BMP decoder. By tricking a user into
 opening a specially crafted BMP file, an attacker could obtain
 sensitive information. (CVE-2008-0420)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1.diff.gz
      Size/MD5:   457207 42edc049dc6a57799c7762fd69519cef
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1.dsc
      Size/MD5:     1677 308921004b21abdec87e7193b1cc1855
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227.orig.tar.gz
      Size/MD5: 38264877 4266e1ff163ed81a555a6198a8c2fc45

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:  3592366 d46ea4d2567ef29fe2e29d7ea59ebe0f
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:   194738 d64dc9355993ee4e732db61ab7d18142
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
      Size/MD5:    59978 20504a6b397c381daaf6425c980241c9
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_amd64.deb
      Size/MD5: 12109986 e3f88ccf859f2cb0d4f5786ec84422f8

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
      Size/MD5:  3585640 9a6fb88d3f7606c016694a56ac686c70
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
      Size/MD5:   188106 7b9b14a14e97870b209b8917b05d6899
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
      Size/MD5:    55474 7fb01df26f2bb75b34370b547a9d2e5b
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_i386.deb
      Size/MD5: 10382740 287d5666f26e2cbe9cedf80236967480

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:  3591026 db402f32a02f27dd4a7e789da07e9667
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:   191452 a879875dcd1075a9802e0a7cf5485ae6
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5:    59076 9d4f1e4f5b2df85487d5cd767e42ca79
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_powerpc.deb
      Size/MD5: 11661424 445a2d6d7df3c4c7aa20dc0a6772a283

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:  3587542 bc3561318d69fedc0f157ab5728a0545
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:   188922 1a33f8b82f7dd1a6ec36a0fbfcf45894
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
      Size/MD5:    56976 572056a18fb37c374f201ec398583b2d
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.06.1_sparc.deb
      Size/MD5: 10855430 e4c3f65d7dd305e7567a5820133563e6

Updated packages for Ubuntu 6.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1.diff.gz
      Size/MD5:   458362 a07bff4dbd70a88e0590a5eaf474b071
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1.dsc
      Size/MD5:     1677 a494c4c9b7dba82cfdd26b65618dacf7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227.orig.tar.gz
      Size/MD5: 38264877 4266e1ff163ed81a555a6198a8c2fc45

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:  3592214 8deae5034786195f9df37595ef8f9c66
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:   194874 429fdb58bdce69d5b64163679c6721ad
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
      Size/MD5:    59988 c08085b641b26c1d11c81a3e2ea8a315
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_amd64.deb
      Size/MD5: 12102046 794b27b555370504f3c9d39d70fa0287

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
      Size/MD5:  3589202 576af7e3d35db0291952f461b74f6bb0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
      Size/MD5:   189532 81740cf1a82437340ded3dbf8d9bc668
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
      Size/MD5:    56622 051f5aa4a749078227550fe4d8771759
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_i386.deb
      Size/MD5: 10842634 24a2f47129e13a115cb612ab7d6cf732

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:  3591066 8b12a9ffcc2d9d38198c4bbd19b08b76
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:   191980 dc997f5ea64b0ce5225c08f737d6fab4
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5:    59702 15afbb248986b685ef1f7ab59660e133
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_powerpc.deb
      Size/MD5: 11792284 06f9647fb71deeee08d27451ecf38ae0

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:  3587556 6f575f6e24c7e004c71c3746895288f3
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:   189390 227d5419c43080baf5316d6186246bc1
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
      Size/MD5:    57044 428a473e879f97fca358e49d363baa4c
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.6.10.1_sparc.deb
      Size/MD5: 11055900 f312edc01dbf038d5d4912e20bb2332e

Updated packages for Ubuntu 7.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1.diff.gz
      Size/MD5:   128338 b8fd04ca331e279466c74ee642f37c9d
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1.dsc
      Size/MD5:     1677 f3d40a99a1bd698eb8793b05593ef9a1
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227.orig.tar.gz
      Size/MD5: 38264877 4266e1ff163ed81a555a6198a8c2fc45

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:  3592572 cfd1788e37a527b5b421743a53ed6d4e
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:   195362 1b39d27240963b06c8262159f65fecbb
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
      Size/MD5:    60482 7cfbfd6ac8e1f90b80f862b8da007cb7
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_amd64.deb
      Size/MD5: 12200898 98d6cadd4934398397d7efac96e5dfa2

  i386 architecture (x86 compatible Intel/AMD):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
      Size/MD5:  3589906 52715181859839e6da06ee1d11e23b5b
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
      Size/MD5:   190018 2b4f148d9e1a17759b53a06d9bf10890
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
      Size/MD5:    57116 71d8d8d39964a3c1812f169f9c97c5be
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_i386.deb
      Size/MD5: 10930196 0041f2ae1d9bb1cd903b928409b4b00e

  powerpc architecture (Apple Macintosh G3/G4/G5):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:  3593612 671ed2159590ee6b593c175d3264ae27
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:   193502 00a290f2d5693deaaf563562bbce679c
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5:    60476 b652ff1af4528c671b58c72edae91af8
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_powerpc.deb
      Size/MD5: 12143668 5ba802316344128bf11cab16fefa8d8d

  sparc architecture (Sun SPARC/UltraSPARC):

    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:  3589116 d5ba04ed373c0d319707dd46f6451410
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:   189836 7e1688245d345859a81b8985871b8016
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
      Size/MD5:    57538 084b7c136c7de9b5c873a0ded7260ee0
    http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080227-0ubuntu0.7.04.1_sparc.deb
      Size/MD5: 11157146 15baa6c7a72ce11ca6131f999a99d5c5



Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ