<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd"> <glsa id="200608-04"> <title>Mozilla Thunderbird: Multiple vulnerabilities</title> <synopsis> The Mozilla Foundation has reported numerous security vulnerabilities related to Mozilla Thunderbird. </synopsis> <product type="ebuild">Thunderbird</product> <announced>2006-08-03</announced> <revised count="01">2006-08-03</revised> <bug>141842</bug> <access>remote</access> <affected> <package name="mail-client/mozilla-thunderbird" auto="yes" arch="*"> <unaffected range="ge">1.5.0.5</unaffected> <vulnerable range="lt">1.5.0.5</vulnerable> </package> <package name="mail-client/mozilla-thunderbird-bin" auto="yes" arch="*"> <unaffected range="ge">1.5.0.5</unaffected> <vulnerable range="lt">1.5.0.5</vulnerable> </package> </affected> <background> <p> The Mozilla Thunderbird mail client is a redesign of the Mozilla Mail component. The goal is to produce a cross-platform stand-alone mail application using XUL (XML User Interface Language). </p> </background> <description> <p> The following vulnerabilities have been reported: </p> <ul> <li>Benjamin Smedberg discovered that chrome URLss could be made to reference remote files.</li> <li>Developers in the Mozilla community looked for and fixed several crash bugs to improve the stability of Mozilla clients.</li> <li>"shutdown" reports that cross-site scripting (XSS) attacks could be performed using the construct XPCNativeWrapper(window).Function(...), which created a function that appeared to belong to the window in question even after it had been navigated to the target site.</li> <li>"shutdown" reports that scripts granting the UniversalBrowserRead privilege can leverage that into the equivalent of the far more powerful UniversalXPConnect since they are allowed to "read" into a privileged context.</li> <li>"moz_bug_r_a4" discovered that Named JavaScript functions have a parent object created using the standard Object() constructor (ECMA-specified behavior) and that this constructor can be redefined by script (also ECMA-specified behavior).</li> <li>Igor Bukanov and shutdown found additional places where an untimely garbage collection could delete a temporary object that was in active use.</li> <li>Georgi Guninski found potential integer overflow issues with long strings in the toSource() methods of the Object, Array and String objects as well as string function arguments.</li> <li>H. D. Moore reported a testcase that was able to trigger a race condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object.</li> <li>A malicious page can hijack native DOM methods on a document object in another domain, which will run the attacker's script when called by the victim page.</li> <li>Secunia Research has discovered a vulnerability which is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events. This leads to use of a deleted timer object.</li> </ul> </description> <impact type="normal"> <p> A user can be enticed to open specially crafted URLs, visit webpages containing malicious JavaScript or execute a specially crafted script. These events could lead to the execution of arbitrary code, or the installation of malware on the user's computer. </p> </impact> <workaround> <p> There is no known workaround at this time. </p> </workaround> <resolution> <p> All Mozilla Thunderbird users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-1.5.0.5"</code> <p> All Mozilla Thunderbird binary users should upgrade to the latest version: </p> <code> # emerge --sync # emerge --ask --oneshot --verbose ">=mail-client/mozilla-thunderbird-bin-1.5.0.5"</code> </resolution> <references> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3113">CVE-2006-3113</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3802">CVE-2006-3802</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3803">CVE-2006-3803</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3804">CVE-2006-3804</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3805">CVE-2006-3805</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3806">CVE-2006-3806</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3807">CVE-2006-3807</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3809">CVE-2006-3809</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3810">CVE-2006-3810</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3811">CVE-2006-3811</uri> <uri link="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3812">CVE-2006-3812</uri> </references> <metadata tag="requester" timestamp="2006-07-28T14:37:07Z"> DerCorny </metadata> <metadata tag="submitter" timestamp="2006-07-28T18:08:55Z"> dizzutch </metadata> <metadata tag="bugReady" timestamp="2006-08-03T16:54:43Z"> DerCorny </metadata> </glsa>