Bug 169232

Summary: [MFSA2005-59] Thunderbird improper command line URL sanitization
Product: [Fedora] Fedora Reporter: Gerwin Krist <gerwinkrist>
Component: thunderbirdAssignee: Christopher Aillon <caillon>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.mozilla.org/security/announce/mfsa2005-59.html
Whiteboard:
Fixed In Version: 1.0.7-1.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-09 09:59:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gerwin Krist 2005-09-25 18:11:33 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b4) Gecko/20050908 (No IDN) Firefox/1.4

Description of problem:
"URLs passed to Linux versions of Firefox on the command-line are not correctly protected against interpretation by the shell. As a result a malicious URL can result in the execution of shell commands with the privileges of the user. If Firefox is set as the default handler for web URLs then opening a URL in another program (for example, links in a mail or chat client) can result in shell command execution."

So not only firefox is affected but also Thunderbird. Fix will come with 1.07 version ....

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.
2.
3.
  

Additional info:
Comment 1 Gerwin Krist 2005-09-25 18:12:22 UTC 
Page:
http://www.mozilla.org/security/announce/mfsa2005-59.html