Bug 189672

Summary: Mozilla Thunderbird multiple vulnerabilities (CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-0292, et al.)
Product: [Retired] Fedora Legacy Reporter: David Eisenstein <deisenst>
Component: thunderbirdAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: urgent    
Version: fc3CC: pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://rhn.redhat.com/errata/RHSA-2006-0330.html
Whiteboard: impact=critical, LEGACY, 3
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-30 13:40:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed Test Update Notification for thunderbird-1.0.8
none
Proposed Update advisory none

Description David Eisenstein 2006-04-22 13:34:12 UTC 
Mozilla has released a new version of Mozilla Thunderbird that corrects
serious and critical vulnerabilities in that product.  Red Hat has issued
advisory RHSA-2006:0330-01 <http://rhn.redhat.com/errata/RHSA-2006-0330.html>.
With that advisory, Red Hat has released thunderbird-1.0.8-1.4.1.

Here is the Problem Description from that advisory:

"Several bugs were found in the way Thunderbird processes malformed
javascript. A malicious HTML mail message could modify the content of a
different open HTML mail message, possibly stealing sensitive information
or conducting a cross-site scripting attack. Please note that JavaScript
support is disabled by default in Thunderbird. (CVE-2006-1731,
CVE-2006-1732, CVE-2006-1741)

"Several bugs were found in the way Thunderbird processes certain 
javascript actions. A malicious HTML mail message could execute arbitrary 
javascript instructions with the permissions of 'chrome', allowing the 
page to steal sensitive information or install browser malware. Please 
note that JavaScript support is disabled by default in Thunderbird. 
(CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733,
CVE-2006-1734, CVE-2006-1735, CVE-2006-1742)

"Several bugs were found in the way Thunderbird processes malformed HTML
mail messages.  A carefully crafted malicious HTML mail message could 
cause the execution of arbitrary code as the user running Thunderbird.
(CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1790)

"A bug was found in the way Thunderbird processes certain inline content 
in HTML mail messages. It may be possible for a remote attacker to send a
carefully crafted mail message to the victim, which will fetch remote
content, even if Thunderbird is configured not to fetch remote content.
(CVE-2006-1045)

"Users of Thunderbird are advised to upgrade to this updated package
containing Thunderbird version 1.0.8, which is not vulnerable to these 
issues."
Comment 1 David Eisenstein 2006-04-29 07:58:49 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated mozilla Thunderbird package to QA for FC3:

1aa9684f679b29eef1848d517a803c8606db1210__thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm

http://turbosphere.fedoralegacy.org/logs/fedora-3-core/100-thunderbird-1.0.8-1.1.fc3.2.legacy/thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm

Changelog:
* Fri Apr 28 2006 David Eisenstein <deisenst> 1.0.8-1.1.fc3.2.legacy
- - Add buildrequires - desktop-file-utils

* Tue Apr 25 2006 David Eisenstein <deisenst> 1.0.8-1.1.fc3.1.legacy
- - Portions of the firefox-1.0-gcc4-compile.patch are already applied in
  the src tarball.  Remove those so remainder of patch will apply.

* Tue Apr 25 2006 David Eisenstein <deisenst> 1.0.8-1.1.fc3.legacy
- - Update to 1.0.8, containing fixes for:
  CVE-2006-1731, CVE-2006-1732, CVE-2006-1741, CVE-2006-0292,
  CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733,
  CVE-2006-1734, CVE-2006-1735, CVE-2006-1742, CVE-2006-0749,
  CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
  CVE-2006-1739, CVE-2006-1790, CVE-2006-1045

Thanks!


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFEUx2axou1V/j9XZwRAhS2AJ96lgMLDd8U9tOFJl3s4gsjprLxBQCeNYZp
DaP02Sivfxvnr2y4eUT0wGo=
=ESxA
-----END PGP SIGNATURE-----
Comment 2 Pekka Savola 2006-05-02 18:51:45 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal [*]
 - no patch changes except OK removal.

[*] as this is the first time this package is being built in mock, please
make sure you run appropriate rpm-build-compare.sh (e.g., ldd) or similar stuff
on the
binaries to make sure all the buildrequires stuff that was in the previous
version was properly included.

+PUBLISH FC3

1aa9684f679b29eef1848d517a803c8606db1210  thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEV6vLGHbTkzxSL7QRAg+9AJ4z7P1mkbKeOa2BWStwPPa4pDxvDACgtazA
mMU7kFqGOZCeZKdqrJGFakg=
=ulPZ
-----END PGP SIGNATURE-----
Comment 3 David Eisenstein 2006-05-02 23:19:00 UTC 
Thanks, Pekka!  :)
Comment 4 David Eisenstein 2006-05-15 08:06:07 UTC 
Pekka, I wish to thank you very much for your advice to check the
rpm-build-compare.sh of the binary packages.  There were indeed many,
many missing BuildRequires.  I am building (what I hope is now) the last
incarnation of Mozilla Thunderbird so we can push it to updates-testing...

Thanks again!  I appreciate your eagle-eye and your sharp mind!
Comment 5 David Eisenstein 2006-05-17 13:44:54 UTC 
Created attachment 129317 [details]
Proposed Test Update Notification for thunderbird-1.0.8

Enclosed is proposed updates-testing notification to go to fedora-legacy-list
once pkgs are signed with the Legacy key and their SHA1-sums have been
determined.  I believe the thunderbird packages are ready to be pushed to
updates-testing.

Current packages to look at (signed with my own key) are here:
SRPM:
http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/thunderbird-1.0.8-1.1.fc3.4.legacy.src.rpm


i386:
http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/i386/thunderbird-1.0.8-1.1.fc3.4.legacy.i386.rpm


x86_64:
http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/x86_64/thunderbird-1.0.8-1.1.fc3.4.legacy.x86_64.rpm


Thanks.
Comment 6 Marc Deslauriers 2006-05-26 01:49:03 UTC 
Packages were pushed to updates-testing
Comment 7 Pekka Savola 2006-05-26 15:06:15 UTC 
Timeout in 2 weeks.
Comment 8 David Eisenstein 2006-06-14 17:32:03 UTC 
Timeout over.
Comment 9 David Eisenstein 2006-06-14 18:20:17 UTC 
Created attachment 130899 [details]
Proposed Update advisory

Attached is a proposed update advisory for Thunderbird.
Comment 10 Marc Deslauriers 2006-06-30 13:40:21 UTC 
Packages were released to updates.
Comment 11 David Eisenstein 2006-07-01 06:08:30 UTC 
Thanks, Marc!  :)