Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 197078

Summary: CVE-2006-2779 multiple Thunderbird issues (CVE-2006-2780, CVE-2006-2781, CVE-2006-2783,CVE-2006-2782,CVE-2006-2778,CVE-2006-2776,CVE-2006-2784,CVE-2006-2785,CVE-2006-2786,CVE-2006-2787,CVE-2006-2788)
Product: Red Hat Enterprise Linux 4 Reporter: Josh Bressers <bressers>
Component: thunderbirdAssignee: Christopher Aillon <caillon>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,source=mozilla,reported=20060531,public=20060601
Fixed In Version: RHSA-2006-0611 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-29 00:07:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2006-06-28 14:12:34 UTC 
+++ This bug was initially created as a clone of Bug #196973 +++

These issues will remain unfixed in Thunderbird until we upgrade to Thunderbird
1.5. They are not additional issues, simply problems which are fixed as part of
the upgrade.

CVE-2006-2777 MFSA 2006-43
CVE-2006-2776 MFSA 2006-37
CVE-2006-2784 MFSA 2006-36
CVE-2006-2785 MFSA 2006-34
CVE-2006-2787 MFSA 2006-31
Several flaws were found in the way Thunderbird processes certain javascript
actions. A malicious HTML mail could execute arbitrary javascript
instructions with the permissions of "chrome", allowing the mail to steal
sensitive information or install client malware. Please note that javascript is
disabled by default in Thunderbird.

CVE-2006-2783 MFSA 2006-42
A cross site scripting flaw was found in the way Thunderbird processes Unicode
Byte-order-Mark (BOM) markers in UTF-8 HTML email. A malicious HTML mail message
could execute a script within the browser that a web input sanitizer could
miss due to a malformed "script" tag.

CVE-2006-2782 MFSA 2006-41
A form file upload flaw was found in the way Thunderbird handles javascript
input object mutation. A malicious HTML mail message could upload an arbitrary
local file at form submission time without user interaction.

CVE-2006-2778 MFSA 2006-38
A denial of service flaw was found in the way Thunderbird calls the
crypto.signText() javascript function. A malicious HTML mail message could crash
the mail client if the victim had a client certificate loaded.

CVE-2006-2786 MFSA 2006-33
Two HTTP response smuggling flaws were found in the way Thunderbird processes
certain invalid HTTP response headers. A malicious web server could return
specially crafted HTTP response headers which may bypass HTTP proxy
restrictions.

CVE-2006-2788
A double free flaw was found in the way the nsIX509::getRawDER method is
called. If a victim views a carefully crafted HTML mail it is possible to
execute arbitrary code as the user running Mozilla. (CVE-2006-2788)
Comment 3 Josh Bressers 2006-07-12 20:22:14 UTC 
These additional issues are being tracked via this bug


Text stolen from MITRE:

CVE-2006-2781
Double-free vulnerability in Mozilla Thunderbird before 1.5.0.4 and
SeaMonkey before 1.0.2 allows remote attackers to cause a denial of
service (hang) and possibly execute arbitrary code via a VCard that
contains invalid base64 characters.

CVE-2006-2779
Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers
to cause a denial of service (crash) and possibly execute arbitrary
code via (1) nested <option> tags in a select tag, (2) a
DOMNodeRemoved mutation event, (3) "Content-implemented tree views,"
(4) BoxObjects, (5) the XBL implementation, (6) an iframe that
attempts to remove itself, which leads to memory corruption.

-- Additional comment from bressers on 2006-07-12 10:54 EST --
CVE-2006-2780
Integer overflow in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote
attackers to cause a denial of service (crash) and possibly execute arbitrary
code via "jsstr tagify," which leads to memory corruption.
Comment 4 Josh Bressers 2006-07-14 20:00:13 UTC 
CVE-2006-2777 is now being tracked via bug 198934
Comment 5 Red Hat Bugzilla 2006-07-29 00:07:32 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2006-0611.html