Bug 145604

Summary: CAN-2004-1316 multiple thunderbird issues (CAN-2005-0142 CAN-2005-0146 CAN-2005-0149)
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: thunderbirdAssignee: Christopher Aillon <caillon>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20050120
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-04-28 20:26:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2005-01-20 01:36:55 UTC
===================================
Mozilla Security Advisory MSA05-002
===================================

Title:      Opened attachments are temporarily saved world-readable
Severity:   Moderate (on a multiuser computer)
Reporter:   danielk

Fixed in:   Firefox 1.0
            Thunderbird 0.9
            Mozilla Suite 1.7.5

Vulnerable: Firefox 0.9
            Thunderbird 0.6
            Mozilla 1.7


Description
-----------
Mozilla software released after March 2004 saves some temporary files with
world-readable permissions. In the browser this is primarily
content fed to helper applications (for example, PDF files), and in
the mail clients it is attachments.


Workaround
----------
Do not open sensitive mail attachments on a shared multiuser machine.
Upgrade to fixed version


References
----------
https://bugzilla.mozilla.org/show_bug.cgi?id=251297

Comment 1 Josh Bressers 2005-01-20 02:05:57 UTC
===================================
Mozilla Security Advisory MSA05-006
===================================

Title:      Heap overrun handling malicious news: URL
Severity:   High
Reporter:   Maurycy Prodeus (iSEC Security Research)

Fixed in:   Thunderbird 0.9
            Mozilla Suite 1.7.5


Description
-----------
Maurycy Prodeus of iSEC Security Research reports a heap overrun in processing
certain news: URLs. Thunderbird and the Mozilla Suite are affected; Firefox
does not support the news: scheme.

Workaround 
----------
Upgrade to fixed version. 


References
----------
http://isec.pl/vulnerabilities/isec-0020-mozilla.txt 
https://bugzilla.mozilla.org/show_bug.cgi?id=264388

Comment 2 Josh Bressers 2005-01-20 02:08:26 UTC
The issue described in comment #1 is CAN-2004-1316

Comment 3 Josh Bressers 2005-01-20 02:15:00 UTC
===================================
Mozilla Security Advisory MSA05-008
===================================

Title:      Synthetic middle-click event can steal clipboard contents
Severity:   Moderate
Reporter:   Jesse Ruderman

Fixed in:   Firebird 1.0
            Mozilla Suite 1.7.5


Description
-----------
Script-generated middle-click events can steal clipboard contents
on systems where that action is a paste. Middle-click paste is the
default behavior on Unix systems, and a hidden option elsewhere.


Workaround
----------
Disable javascript or upgrade to fixed version.


References
----------
https://bugzilla.mozilla.org/show_bug.cgi?id=265728

Comment 4 Christopher Aillon 2005-04-28 20:26:59 UTC
Fixed in fc3 updates already.