USN-297-1: Thunderbird vulnerabilities
Posted on: 06/14/2006 10:12 AM

A new Thunderbird vulnerabilities update is available for Ubuntu Linux. Here the announcement:

Ubuntu Security Notice USN-297-1 June 13, 2006
mozilla-thunderbird vulnerabilities
CVE-2006-2775, CVE-2006-2776, CVE-2006-2778, CVE-2006-2779,
CVE-2006-2780, CVE-2006-2781, CVE-2006-2783, CVE-2006-2786,

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
mozilla-thunderbird-enigmail 2:0.94-0ubuntu4.1

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Please note that Thunderbird 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are
also affected by these problems. Updates for these Ubuntu releases
will be delayed due to upstream dropping support for this Thunderbird
version. We strongly advise that you disable JavaScript to disable the
attack vectors for most vulnerabilities if you use one of these Ubuntu

Details follow:

Jonas Sicking discovered that under some circumstances persisted XUL
attributes are associated with the wrong URL. A malicious web site
could exploit this to execute arbitrary code with the privileges of
the user. (MFSA 2006-35, CVE-2006-2775)

Paul Nickerson discovered that content-defined setters on an object
prototype were getting called by privileged UI code. It was
demonstrated that this could be exploited to run arbitrary web script
with full user privileges (MFSA 2006-37, CVE-2006-2776).

Mikolaj Habryn discovered a buffer overflow in the crypto.signText()
function. By sending an email with malicious JavaScript to an user,
and that user enabled JavaScript in Thunderbird (which is not the
default and not recommended), this could potentially be exploited to
execute arbitrary code with the user's privileges. (MFSA 2006-38,

The Mozilla developer team discovered several bugs that lead to
crashes with memory corruption. These might be exploitable by
malicious web sites to execute arbitrary code with the privileges of
the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780)

Masatoshi Kimura discovered a memory corruption (double-free) when
processing a large VCard with invalid base64 characters in it. By
sending a maliciously crafted set of VCards to a user, this could
potentially be exploited to execute arbitrary code with the user's
privileges. (MFSA 2006-40, CVE-2006-2781)

Masatoshi Kimura found a way to bypass web input sanitizers which
filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)'
characters into the HTML code (e. g. 'lt;scr[BOM]iptgt;'), these filters
might not recognize the tags anymore; however, Thunderbird would still
execute them since BOM markers are filtered out before processing a
mail containing JavaScript. (MFSA 2006-42, CVE-2006-2783)

Kazuho Oku discovered various ways to perform HTTP response smuggling
when used with certain proxy servers. Due to different interpretation
of nonstandard HTTP headers in Thunderbird and the proxy server, a
malicious HTML email can exploit this to send back two responses to one
request. The second response could be used to steal login cookies or
other sensitive data from another opened web site. (MFSA 2006-33,

It was discovered that JavaScript run via EvalInSandbox() can escape
the sandbox. Malicious scripts received in emails containing
JavaScript could use these privileges to execute arbitrary code with
the user's privileges. (MFSA 2006-31, CVE-2006-2787)

The "enigmail" plugin has been updated to work with the new
Thunderbird version.

Updated packages for Ubuntu 6.06 LTS:

Source archives:
Size/MD5: 454199 909966693eff8a078ba864ad117ce739
Size/MD5: 958 e4f852b4bab77b9623cc341c20bc09d9
Size/MD5: 35231284 243305d4d6723a45fcb1028caa3abca6
Size/MD5: 20665 cdfe87eb65540f718072e34e02934992
Size/MD5: 782 8fb6b5df3c43f49a66ccf53ba5668b30
Size/MD5: 3126659 7e34cbe51f5a1faca2e26fa0edfd6a06

amd64 architecture (Athlon64, Opteron, EM64T Xeon)
Size/MD5: 3524682 33dc00f09c6696c30931de5d6ac3c0a4
Size/MD5: 193242 b8590336a65d0291a23f867b82b26c3f
Size/MD5: 58462 b01403276bf1092b1ccf0cad7baa72f9
Size/MD5: 11962546 0ddac2ea690038906b1ffcd6344b7f39
Size/MD5: 335026 b1b887ea96c5e241bbe5467ff496afbc

i386 architecture (x86 compatible Intel/AMD)
Size/MD5: 3516762 0d23ea5ccb664172eae44f152e68ccea
Size/MD5: 186610 53006a42e988e1f6094c3205a94a70ec
Size/MD5: 53966 d30216cff318235c7111983113c55f0e
Size/MD5: 10269436 515e159ef36b150458d9fe96a839fab1
Size/MD5: 322588 8f6e39daed993d2f8aec8fd50878847d

powerpc architecture (Apple Macintosh G3/G4/G5)
Size/MD5: 3521642 e1ac4e93a87b4ddaa6176da12c927884
Size/MD5: 189958 6eae0743502e13782001bc3979388e83
Size/MD5: 57556 660594aff823a3a77abeb2ee87693c4c
Size/MD5: 11536352 128dbafe11cebc0b64233272e351be9c
Size/MD5: 326082 5f737efbb2625db219376e7ade40a731

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.2.2 (GNU/Linux)


Printed from Linux Compatible (