145604 – CAN-2004-1316 multiple thunderbird issues (CAN-2005-0142 CAN-2005-0146 CAN-2005-0149)

Bug 145604 - CAN-2004-1316 multiple thunderbird issues (CAN-2005-0142 CAN-2005-0146 CAN-2005-0149)

Summary: CAN-2004-1316 multiple thunderbird issues (CAN-2005-0142 CAN-2005-0146 CAN-20...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	thunderbird
Sub Component:
Version:	3
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Christopher Aillon
QA Contact:
Docs Contact:
URL:
Whiteboard:	impact=important,public=20050120
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-01-20 01:36 UTC by Josh Bressers
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-04-28 20:26:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Josh Bressers 2005-01-20 01:36:55 UTC

===================================
Mozilla Security Advisory MSA05-002
===================================

Title:      Opened attachments are temporarily saved world-readable
Severity:   Moderate (on a multiuser computer)
Reporter:   danielk

Fixed in:   Firefox 1.0
            Thunderbird 0.9
            Mozilla Suite 1.7.5

Vulnerable: Firefox 0.9
            Thunderbird 0.6
            Mozilla 1.7


Description
-----------
Mozilla software released after March 2004 saves some temporary files with
world-readable permissions. In the browser this is primarily
content fed to helper applications (for example, PDF files), and in
the mail clients it is attachments.


Workaround
----------
Do not open sensitive mail attachments on a shared multiuser machine.
Upgrade to fixed version


References
----------
https://bugzilla.mozilla.org/show_bug.cgi?id=251297

Comment 1 Josh Bressers 2005-01-20 02:05:57 UTC

===================================
Mozilla Security Advisory MSA05-006
===================================

Title:      Heap overrun handling malicious news: URL
Severity:   High
Reporter:   Maurycy Prodeus (iSEC Security Research)

Fixed in:   Thunderbird 0.9
            Mozilla Suite 1.7.5


Description
-----------
Maurycy Prodeus of iSEC Security Research reports a heap overrun in processing
certain news: URLs. Thunderbird and the Mozilla Suite are affected; Firefox
does not support the news: scheme.

Workaround 
----------
Upgrade to fixed version. 


References
----------
http://isec.pl/vulnerabilities/isec-0020-mozilla.txt 
https://bugzilla.mozilla.org/show_bug.cgi?id=264388

Comment 2 Josh Bressers 2005-01-20 02:08:26 UTC

The issue described in comment #1 is CAN-2004-1316

Comment 3 Josh Bressers 2005-01-20 02:15:00 UTC

===================================
Mozilla Security Advisory MSA05-008
===================================

Title:      Synthetic middle-click event can steal clipboard contents
Severity:   Moderate
Reporter:   Jesse Ruderman

Fixed in:   Firebird 1.0
            Mozilla Suite 1.7.5


Description
-----------
Script-generated middle-click events can steal clipboard contents
on systems where that action is a paste. Middle-click paste is the
default behavior on Unix systems, and a hidden option elsewhere.


Workaround
----------
Disable javascript or upgrade to fixed version.


References
----------
https://bugzilla.mozilla.org/show_bug.cgi?id=265728

Comment 4 Christopher Aillon 2005-04-28 20:26:59 UTC

Fixed in fc3 updates already.

Note You need to log in before you can comment on or make changes to this bug.