[USN-329-1] Thunderbird vulnerabilities

To: ubuntu-security-announce@xxxxxxxxxxxxxxxx
Subject: [USN-329-1] Thunderbird vulnerabilities
From: Martin Pitt <martin.pitt@xxxxxxxxxxxxx>
Date: Fri, 28 Jul 2006 22:06:49 +0200
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.12-2006-07-14

=========================================================== 
Ubuntu Security Notice USN-329-1              July 28, 2006
mozilla-thunderbird vulnerabilities
CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3804,
CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809,
CVE-2006-3810, CVE-2006-3811, CVE-2006-3812
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mozilla-thunderbird                      1.5.0.5-0ubuntu0.6.06
  mozilla-thunderbird-enigmail             2:0.94-0ubuntu4.2

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Please note that Thunderbird 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are
also affected by these problems. Updates for these Ubuntu releases
will be delayed due to upstream dropping support for this Thunderbird
version. We strongly advise that you disable JavaScript to disable the
attack vectors for most vulnerabilities if you use one of these Ubuntu
versions.

Details follow:

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious email containing JavaScript. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable
it. (CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805,
CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3810,
CVE-2006-3811, CVE-2006-3812)

A buffer overflow has been discovered in the handling of .vcard files.
By tricking a user into importing a malicious vcard into his contacts,
this could be exploited to execute arbitrary code with the user's
privileges.  (CVE-2006-3084)

The "enigmail" plugin has been updated to work with the new
Thunderbird version.


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu4.2.diff.gz
      Size/MD5:    20823 426bbb61a907211c8b5f85a8a1d12b40
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu4.2.dsc
      Size/MD5:      779 b2d2ca13c4e5cbfde608fdbacbd9b948
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.orig.tar.gz
      Size/MD5:  3126659 7e34cbe51f5a1faca2e26fa0edfd6a06
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5-0ubuntu0.6.06.diff.gz
      Size/MD5:   454681 617049f1f961d52eb3d51eb67fa10188
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5-0ubuntu0.6.06.dsc
      Size/MD5:      962 57c4c52e92c980d0812f7d06157c5306
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5.orig.tar.gz
      Size/MD5: 35399376 aaf162faff8e8d8bdc70bc806d68a85b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.5-0ubuntu0.6.06_amd64.deb
      Size/MD5:  3526026 e64ec0863395cb3d96011b45c4695d5e
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.2_amd64.deb
      Size/MD5:   335178 1e29a8c42488f4c268bce0753886b6cd
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.5-0ubuntu0.6.06_amd64.deb
      Size/MD5:   193622 42fb05d02cae2613afc6d03b7fc7f3f8
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.5-0ubuntu0.6.06_amd64.deb
      Size/MD5:    58874 24e70a63777ecf92951e27abec3731e4
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5-0ubuntu0.6.06_amd64.deb
      Size/MD5: 11972684 8bebd7b94be0cb649d0732e8e39a442b

  i386 architecture (x86 compatible Intel/AMD)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.5-0ubuntu0.6.06_i386.deb
      Size/MD5:  3517720 2583f228e45c4d850fcd68d8b6938a0a
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.2_i386.deb
      Size/MD5:   322800 92d39d87ce0c181ac61fef7f1228a6a0
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.5-0ubuntu0.6.06_i386.deb
      Size/MD5:   187002 ad14981f0564c25c59b68c3b74bf1fb1
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.5-0ubuntu0.6.06_i386.deb
      Size/MD5:    54386 8dbd996a7bdcf09291b87a4bbc5d56e9
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5-0ubuntu0.6.06_i386.deb
      Size/MD5: 10278594 5f80038af9af3ed7c5639819b63caddf

  powerpc architecture (Apple Macintosh G3/G4/G5)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.5-0ubuntu0.6.06_powerpc.deb
      Size/MD5:  3522822 737c06d9578eb3c7ba429dbe42ede660
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.2_powerpc.deb
      Size/MD5:   326256 39da78e5f62652d94df1d9d095ae4cf7
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.5-0ubuntu0.6.06_powerpc.deb
      Size/MD5:   190340 0f62bc53b3dc4de8770dc76f2fb646a1
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.5-0ubuntu0.6.06_powerpc.deb
      Size/MD5:    57998 2f9a1d04b2a8914d8e7c485ad3375a55
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5-0ubuntu0.6.06_powerpc.deb
      Size/MD5: 11541936 144df67e5f39d8d91c8444b9c207d25c

  sparc architecture (Sun SPARC/UltraSPARC)

    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.5-0ubuntu0.6.06_sparc.deb
      Size/MD5:  3519436 a7d0f52ec3a703ff1518b0b0cf3de2c9
    
http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.2_sparc.deb
      Size/MD5:   324596 9cd0b2ae81740e21ffa8c167638b852f
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.5-0ubuntu0.6.06_sparc.deb
      Size/MD5:   187786 64628494f9e7967da629f7a8308f5006
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.5-0ubuntu0.6.06_sparc.deb
      Size/MD5:    55876 fd982c5e65b6b135f817eabd10775416
    
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.5-0ubuntu0.6.06_sparc.deb
      Size/MD5: 10744066 b057f688569d2fa53aac6257bed38128

----- End forwarded message -----

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org

In a world without walls and fences, who needs Windows and Gates?

Attachment: signature.asc
Description: Digital signature

Prev by Date: rPSA-2006-0139-1 httpd mod_ssl
Next by Date: PHP ip2long() function circumvention
Previous by thread: rPSA-2006-0139-1 httpd mod_ssl
Next by thread: PHP ip2long() function circumvention
Index(es):
- Date
- Thread