[USN-157-1] Mozilla Thunderbird vulnerabilities

To: ubuntu-security-announce@xxxxxxxxxxxxxxxx
Subject: [USN-157-1] Mozilla Thunderbird vulnerabilities
From: Martin Pitt <martin.pitt@xxxxxxxxxxxxx>
Date: Mon, 1 Aug 2005 10:47:42 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.9i
==========================================================
Ubuntu Security Notice USN-157-1           August 01, 2005
mozilla-thunderbird vulnerabilities
CAN-2005-0989, CAN-2005-1159, CAN-2005-1160, CAN-2005-1532,
CAN-2005-2261, CAN-2005-2265, CAN-2005-2269, CAN-2005-2270,
CAN-2005-2353
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

mozilla-thunderbird
mozilla-thunderbird-enigmail

The problem can be corrected by upgrading the affected package to
version 1.0.6-0ubuntu04.10 (for Ubuntu 4.10), or 1.0.6-0ubuntu05.04
(for Ubuntu 5.04).  You need to restart Thunderbird after a standard
system upgrade to effect the necessary changes.

The current Enigmail plugin is not compatible any more with the
Thunderbird version shipped in this security update, so the
mozilla-thunderbird-enigmail package needs to be updated as well. An
update is already available for Ubuntu 5.04, and will be delivered
shortly for Ubuntu 4.10.


Details follow:

Vladimir V. Perepelitsa discovered a bug in Thunderbird's handling of anonymous
functions during regular expression string replacement. A malicious HTML email
could exploit this to capture a random block of client memory. (CAN-2005-0989)

Georgi Guninski discovered that the types of certain XPInstall related
JavaScript objects were not sufficiently validated when they were called. This
could be exploited by malicious HTML email content to crash Thunderbird or even
execute arbitrary code with the privileges of the user. (CAN-2005-1159) 

Thunderbird did not properly verify the values of XML DOM nodes.  By tricking
the user to perform a common action like clicking on a link or opening the
context menu, a malicious HTML email could exploit this to execute arbitrary
JavaScript code with the full privileges of the user. (CAN-2005-1160)

A variant of the attack described in CAN-2005-1160 (see USN-124-1) was
discovered. Additional checks were added to make sure Javascript eval and
script objects are run with the privileges of the context that created them,
not the potentially elevated privilege of the context calling them.
(CAN-2005-1532)

Scripts in XBL controls from web content continued to be run even when
Javascript was disabled. This could be combined with most script-based exploits
to attack people running vulnerable versions who thought disabling Javascript
would protect them. (CAN-2005-2261)

The function for version comparison in the addons installer did not properly
verify the type of its argument. By passing specially crafted Javascript
objects to it, a malicious web site could crash Thunderbird and possibly even
execute arbitrary code with the privilege of the user account Thunderbird runs
in. (CAN-2005-2265)

The XHTML DOM node handler did not take namespaces into account when verifying
node types based on their names. For example, an XHTML email could contain an
<IMG> tag with malicious contents, which would then be processed as the
standard trusted HTML <img> tag. By tricking an user to view a malicious email,
this could be exploited to execute attacker-specified code with the full
privileges of the user. (CAN-2005-2269) 

It was discovered that some objects were not created appropriately.  This
allowed malicious web content scripts to trace back the creation chain until
they found a privileged object and execute code with higher privileges than
allowed by the current site. (CAN-2005-2270) 

Javier Fernández-Sanguino Peña discovered that the run-mozilla.sh script
created temporary files in an unsafe way when running with 'debugging' enabled.
This could allow a symlink attack to create or overwrite arbitrary files with
the privileges of the user invoking the program.
(CAN-2005-2353)

The update for Ubuntu 4.10 (Warty Warthog) also fixes several less
critical vulnerabilities which are not present in the Ubuntu 5.04
version. (MFSA-2005-02 to MFSA-2005-30; please see the following web
site for details:
http://www.mozilla.org/projects/security/known-vulnerabilities.html).
We apologize for the huge delay of this update; we changed our update
strategy for Mozilla products to make sure that such long delays will
not happen again.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10.diff.gz
      Size/MD5:    73508 3648c2252f6267d642c8f4e28a14eba0
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10.dsc
      Size/MD5:      942 867a7864f0bce2639df4684bd264ddb9
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6.orig.tar.gz
      Size/MD5: 32933620 c28fc1fd78785b5264e9830b7be6f8ea

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-0ubuntu04.10_amd64.deb
      Size/MD5:  3344106 f3e52ae8a21f37b046d7f1d7c8c8776d
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-0ubuntu04.10_amd64.deb
      Size/MD5:   143406 49e86c62f34f5b46b844b1af6f76808e
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-0ubuntu04.10_amd64.deb
      Size/MD5:    25942 451b04d908aec8843b4b37832c197e12
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-0ubuntu04.10_amd64.deb
      Size/MD5:    81002 1f9589f00acb7223f6f1d320caa077ac
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10_amd64.deb
      Size/MD5: 12259022 1e3eb1a83028b876b942ffa2a4ec8595

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-0ubuntu04.10_i386.deb
      Size/MD5:  3337680 42e0747a2281c452f9b89bc0f45da1f5
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-0ubuntu04.10_i386.deb
      Size/MD5:   138492 b2e5a5ac934afe676fcf7e8ab9890107
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-0ubuntu04.10_i386.deb
      Size/MD5:    25940 94f40b33202345a7977168122a9f2aec
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-0ubuntu04.10_i386.deb
      Size/MD5:    78654 83cc69b58e9fcce92223df5e3f717928
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10_i386.deb
      Size/MD5: 11341380 e57d9774c4d491dcf15f09f7889a6868

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-0ubuntu04.10_powerpc.deb
      Size/MD5:  3333202 62649be791c6c27e1245edc1abdc344f
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-0ubuntu04.10_powerpc.deb
      Size/MD5:   137268 17d462bac0e43a5094ed2656ca67258f
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-0ubuntu04.10_powerpc.deb
      Size/MD5:    25950 aabf2e2ec761f74d8b6758fa98c1eae5
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-0ubuntu04.10_powerpc.deb
      Size/MD5:    72786 f5504ecf5cd74fb8b926192cbf0491a1
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu04.10_powerpc.deb
      Size/MD5: 10895290 69091f41e3b7cf59717a267b6dea4148

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu05.04.diff.gz
      Size/MD5:    73461 0610e558ba5530b59a0575738270f399
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu05.04.dsc
      Size/MD5:      942 4c1ccd87b48a5e989791954098936cac
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6.orig.tar.gz
      Size/MD5: 32933620 c28fc1fd78785b5264e9830b7be6f8ea
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92-1ubuntu05.04.1.diff.gz
      Size/MD5:    16763 a7d37dbf6abe3da411d00a41cf7c8be8
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92-1ubuntu05.04.1.dsc
      Size/MD5:      892 04380200e70d9eeadab664cee6b1aa54
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.92.orig.tar.gz
      Size/MD5:  2038607 c79925633b9e01fa6737d75c2e7acb89

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-0ubuntu05.04_amd64.deb
      Size/MD5:  3343822 a828df1aa118849e7e9d63c2118b83a8
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-0ubuntu05.04_amd64.deb
      Size/MD5:   143386 d78c19acd6f77728eb517704b0770964
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-0ubuntu05.04_amd64.deb
      Size/MD5:    25884 60e3dca0c27325ef255349c889d9844f
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-0ubuntu05.04_amd64.deb
      Size/MD5:    80856 f9d7cb1e18baf01c68fd8ba2a595870f
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu05.04_amd64.deb
      Size/MD5: 11951990 f906f7738c3b5903b1a97658938fb9c0
    
http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92-1ubuntu05.04.1_amd64.deb
      Size/MD5:   326858 a37b7fda2c560db461a58771c88bac50
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92-1ubuntu05.04.1_amd64.deb
      Size/MD5:   332886 4bfd8408209d22717d1a50bb5e87e889

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-0ubuntu05.04_i386.deb
      Size/MD5:  3337242 fb47f26776929bb06b2b383f546117e6
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-0ubuntu05.04_i386.deb
      Size/MD5:   138448 4d99616e765e8e37282b02ace2441764
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-0ubuntu05.04_i386.deb
      Size/MD5:    25880 1de7833deb71b5fc3cc08dd1798f31e8
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-0ubuntu05.04_i386.deb
      Size/MD5:    78606 108f78054cd910e1fe7c45440a2c7f79
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu05.04_i386.deb
      Size/MD5: 10900596 2ca9e53c1bccf81a0ded54d781f892fe
    
http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92-1ubuntu05.04.1_i386.deb
      Size/MD5:   310612 afc30570ec061c922eca7a9146a12e1b
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92-1ubuntu05.04.1_i386.deb
      Size/MD5:   318236 5573e6d012fe8f02e82c8e05ee10f011

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.0.6-0ubuntu05.04_powerpc.deb
      Size/MD5:  3332996 50dafdc24c84117e7210a27537df7c00
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.0.6-0ubuntu05.04_powerpc.deb
      Size/MD5:   137202 354b6bd41029419af278dbb632625716
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-offline_1.0.6-0ubuntu05.04_powerpc.deb
      Size/MD5:    25886 633f6cff231f58e05fa0374dc649a44c
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.0.6-0ubuntu05.04_powerpc.deb
      Size/MD5:    72806 dfdea066f335c2b06b69603a4e5c7b8c
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.0.6-0ubuntu05.04_powerpc.deb
      Size/MD5: 10446774 8d2b97d79de43e1b90af04f37c39b44b
    
http://security.ubuntu.com/ubuntu/pool/universe/e/enigmail/mozilla-enigmail_0.92-1ubuntu05.04.1_powerpc.deb
      Size/MD5:   312922 2e8d1c56e024dac9c5a532c6ddb43fd7
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.92-1ubuntu05.04.1_powerpc.deb
      Size/MD5:   320004 310cbc9849405f67c7d5d214afaf1dfd
Attachment: signature.asc
Description: Digital signature
Prev by Date: Re: [BugTraq] Peter Gutmann data deletion theaory?
Next by Date: MySQL Eventum Multiple Vulnerabilities
Previous by thread: Vulnerability in Trendmicro Officescan
Next by thread: MySQL Eventum Multiple Vulnerabilities
Index(es):
- Date
- Thread