163285 – CAN-2005-0989 multiple thunderbird issues (CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270)

Bug 163285 - CAN-2005-0989 multiple thunderbird issues (CAN-2005-1159 CAN-2005-1160 CAN-2005-1532 CAN-2005-2261 CAN-2005-2265 CAN-2005-2266 CAN-2005-2269 CAN-2005-2270)

Summary: CAN-2005-0989 multiple thunderbird issues (CAN-2005-1159 CAN-2005-1160 CAN-20...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	thunderbird
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Christopher Aillon
QA Contact:
Docs Contact:
URL:
Whiteboard:	impact=important,source=mozilla,publi...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-14 19:51 UTC by Josh Bressers
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-07-21 17:47:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2005:601	0	normal	SHIPPED_LIVE	Important: thunderbird security update	2005-07-21 04:00:00 UTC

Description Josh Bressers 2005-07-14 19:51:38 UTC

MFSA 2005-56
        CAN-2005-2270
        impact=important,source=mozilla,public=20050712
            Improper cloning of base objects allowed web content scripts to
            get to a privileged object by walking up the prototype chain. This
            could be used to execute code with enhanced privileges.

            https://bugzilla.mozilla.org/show_bug.cgi?id=294795
            https://bugzilla.mozilla.org/show_bug.cgi?id=294799
            https://bugzilla.mozilla.org/show_bug.cgi?id=295011
            https://bugzilla.mozilla.org/show_bug.cgi?id=296397

        MFSA 2005-55
        CAN-2005-2269
        impact=moderate,source=mozilla,public=20050712
            Parts of the browser UI relied too much on DOM node names without
            taking different namespaces into account and verifying that the
            node was really of the expected type. An XHTML document could be
            used, for example, to create fake <IMG> elements with
            content-defined properties that will be accessed as if they were
            the trusted built-in properties of the expected HTML elements.

            https://bugzilla.mozilla.org/show_bug.cgi?id=298892

        MFSA 2005-52
        CAN-2005-2266
        impact=moderate,source=mozilla,public=20050712
            A child frame can call top.focus() even if the framing page comes
            from a different origin and has overridden the focus() routine.
            The call is made in the context of the child frame. The attacker
            would look for a target site with a framed page that makes this
            call but doesn't verify that its parent comes from the same site.
            By framing this page the attacker could steal cookies and
            passwords, or take actions on the site on behalf of a signed-in
            user.

            http://secunia.com/advisories/15549/
            https://bugzilla.mozilla.org/show_bug.cgi?id=296830

        MFSA 2005-50
        CAN-2005-2265
        impact=moderate,source=mozilla,public=20050712
            When InstallVersion.compareTo() is passed an object rather than a
            string it assumed the object was another InstallVersion without
            verifying it. When passed a different kind of object the browser
            would generally crash with an access violation.

        MFSA 2005-46
        CAN-2005-2261
        impact=low,source=mozilla,public=20050712
            Scripts in XBL controls from web content continued to be run even
            when Javascript was disabled. By itself this causes no harm, but
            it could be combined with most script-based exploits to attack
            people running vulnerable versions who thought disabling
            javascript would protect them.

            https://bugzilla.mozilla.org/show_bug.cgi?id=292591
            https://bugzilla.mozilla.org/show_bug.cgi?id=292589

        MFSA 2005-44
        CAN-2005-1532
        impact=moderate,source=mozilla,public=20050518
            Additional checks were added to make sure Javascript eval and
            Script objects are run with the privileges of the context that
            created them, not the potentially elevated privilege of the
            context calling them in order to protect against an additional
            variant of MFSA 2005-41.

            https://bugzilla.mozilla.org/show_bug.cgi?id=290908

        MFSA 2005-41
        CAN-2005-1160
        impact=moderate,source=mozilla,public=20050415
            moz_bug_r_a4 reported several exploits giving an attacker the
            ability to install malicious code or steal data, requiring only
            that the user do commonplace actions like click on a link or open
            the context menu. The common cause in each case was privileged UI
            code ("chrome") being overly trusting of DOM nodes from the
            content window.  Scripts in the web page can override properties
            and methods of DOM nodes and shadow the native values, unless
            steps are taken to get the true underlying values.

            https://bugzilla.mozilla.org/show_bug.cgi?id=289074
            https://bugzilla.mozilla.org/show_bug.cgi?id=289083
            https://bugzilla.mozilla.org/show_bug.cgi?id=289961

        MFSA 2005-40
        CAN-2005-1159
        impact=moderate,source=mozilla,public=20050415

            The native implementations of InstallTrigger and other
            XPInstall-related javascript objects did not properly validate
            that they were called on instances of the correct type. By passing
            other objects, even raw numbers, the javascript interpreter would
            jump to the wrong place in memory.  Although no proof of concept
            has been developed we believe this could be exploited.

            https://bugzilla.mozilla.org/show_bug.cgi?id=290162

        MFSA 2005-33
        CAN-2005-0989
        impact=low,source=mozilla,public=20050415

            A bug in javascript's regular expression string replacement when
            using an anonymous function as the replacement argument allows a
            malicious script to capture blocks of memory allocated to the
            browser. A web site could capture data and transmit it to a server
            without user interaction or knowledge.

            https://bugzilla.mozilla.org/show_bug.cgi?id=288688

Comment 1 Mark J. Cox 2005-07-21 17:47:00 UTC

fixed by RHSA-2005:601 (auto bug closing isn't working)

Note You need to log in before you can comment on or make changes to this bug.