189672 – Mozilla Thunderbird multiple vulnerabilities (CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-0292, et al.)

Bug 189672 - Mozilla Thunderbird multiple vulnerabilities (CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-0292, et al.)

Summary: Mozilla Thunderbird multiple vulnerabilities (CVE-2006-0749, CVE-2006-1724, ...

Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora Legacy
Classification:	Retired
Component:	thunderbird
Sub Component:	(Show other bugs)
Version:	fc3
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	---
Assignee:	Fedora Legacy Bugs
QA Contact:
Docs Contact:
URL:	http://rhn.redhat.com/errata/RHSA-200...
Whiteboard:	impact=critical, LEGACY, 3
Keywords:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-04-22 13:34 UTC by David Eisenstein
Modified:	2006-07-01 06:08 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2006-06-30 13:40:21 UTC
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Proposed Test Update Notification for thunderbird-1.0.8 (4.00 KB, text/plain) 2006-05-17 13:44 UTC, David Eisenstein	no flags	Details
Proposed Update advisory (6.74 KB, text/plain) 2006-06-14 18:20 UTC, David Eisenstein	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	188863	None	None	None	Never
Red Hat Bugzilla	188871	None	None	None	Never

Description David Eisenstein 2006-04-22 13:34:12 UTC

Mozilla has released a new version of Mozilla Thunderbird that corrects
serious and critical vulnerabilities in that product.  Red Hat has issued
advisory RHSA-2006:0330-01 <http://rhn.redhat.com/errata/RHSA-2006-0330.html>.
With that advisory, Red Hat has released thunderbird-1.0.8-1.4.1.

Here is the Problem Description from that advisory:

"Several bugs were found in the way Thunderbird processes malformed
javascript. A malicious HTML mail message could modify the content of a
different open HTML mail message, possibly stealing sensitive information
or conducting a cross-site scripting attack. Please note that JavaScript
support is disabled by default in Thunderbird. (CVE-2006-1731,
CVE-2006-1732, CVE-2006-1741)

"Several bugs were found in the way Thunderbird processes certain 
javascript actions. A malicious HTML mail message could execute arbitrary 
javascript instructions with the permissions of 'chrome', allowing the 
page to steal sensitive information or install browser malware. Please 
note that JavaScript support is disabled by default in Thunderbird. 
(CVE-2006-0292, CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733,
CVE-2006-1734, CVE-2006-1735, CVE-2006-1742)

"Several bugs were found in the way Thunderbird processes malformed HTML
mail messages.  A carefully crafted malicious HTML mail message could 
cause the execution of arbitrary code as the user running Thunderbird.
(CVE-2006-0749, CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
CVE-2006-1739, CVE-2006-1790)

"A bug was found in the way Thunderbird processes certain inline content 
in HTML mail messages. It may be possible for a remote attacker to send a
carefully crafted mail message to the victim, which will fetch remote
content, even if Thunderbird is configured not to fetch remote content.
(CVE-2006-1045)

"Users of Thunderbird are advised to upgrade to this updated package
containing Thunderbird version 1.0.8, which is not vulnerable to these 
issues."

Comment 1 David Eisenstein 2006-04-29 07:58:49 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an updated mozilla Thunderbird package to QA for FC3:

1aa9684f679b29eef1848d517a803c8606db1210__thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm

http://turbosphere.fedoralegacy.org/logs/fedora-3-core/100-thunderbird-1.0.8-1.1.fc3.2.legacy/thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm

Changelog:
* Fri Apr 28 2006 David Eisenstein <deisenst@gtw.net> 1.0.8-1.1.fc3.2.legacy
- - Add buildrequires - desktop-file-utils

* Tue Apr 25 2006 David Eisenstein <deisenst@gtw.net> 1.0.8-1.1.fc3.1.legacy
- - Portions of the firefox-1.0-gcc4-compile.patch are already applied in
  the src tarball.  Remove those so remainder of patch will apply.

* Tue Apr 25 2006 David Eisenstein <deisenst@gtw.net> 1.0.8-1.1.fc3.legacy
- - Update to 1.0.8, containing fixes for:
  CVE-2006-1731, CVE-2006-1732, CVE-2006-1741, CVE-2006-0292,
  CVE-2006-0296, CVE-2006-1727, CVE-2006-1728, CVE-2006-1733,
  CVE-2006-1734, CVE-2006-1735, CVE-2006-1742, CVE-2006-0749,
  CVE-2006-1724, CVE-2006-1730, CVE-2006-1737, CVE-2006-1738,
  CVE-2006-1739, CVE-2006-1790, CVE-2006-1045

Thanks!


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)

iD8DBQFEUx2axou1V/j9XZwRAhS2AJ96lgMLDd8U9tOFJl3s4gsjprLxBQCeNYZp
DaP02Sivfxvnr2y4eUT0wGo=
=ESxA
-----END PGP SIGNATURE-----

Comment 2 Pekka Savola 2006-05-02 18:51:45 UTC

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal [*]
 - no patch changes except OK removal.

[*] as this is the first time this package is being built in mock, please
make sure you run appropriate rpm-build-compare.sh (e.g., ldd) or similar stuff
on the
binaries to make sure all the buildrequires stuff that was in the previous
version was properly included.

+PUBLISH FC3

1aa9684f679b29eef1848d517a803c8606db1210  thunderbird-1.0.8-1.1.fc3.2.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFEV6vLGHbTkzxSL7QRAg+9AJ4z7P1mkbKeOa2BWStwPPa4pDxvDACgtazA
mMU7kFqGOZCeZKdqrJGFakg=
=ulPZ
-----END PGP SIGNATURE-----

Comment 3 David Eisenstein 2006-05-02 23:19:00 UTC

Thanks, Pekka!  :)

Comment 4 David Eisenstein 2006-05-15 08:06:07 UTC

Pekka, I wish to thank you very much for your advice to check the
rpm-build-compare.sh of the binary packages.  There were indeed many,
many missing BuildRequires.  I am building (what I hope is now) the last
incarnation of Mozilla Thunderbird so we can push it to updates-testing...

Thanks again!  I appreciate your eagle-eye and your sharp mind!

Comment 5 David Eisenstein 2006-05-17 13:44:54 UTC

Created attachment 129317 [details]
Proposed Test Update Notification for thunderbird-1.0.8

Enclosed is proposed updates-testing notification to go to fedora-legacy-list
once pkgs are signed with the Legacy key and their SHA1-sums have been
determined.  I believe the thunderbird packages are ready to be pushed to
updates-testing.

Current packages to look at (signed with my own key) are here:
SRPM:
http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/thunderbird-1.0.8-1.1.fc3.4.legacy.src.rpm


i386:
http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/i386/thunderbird-1.0.8-1.1.fc3.4.legacy.i386.rpm


x86_64:
http://turbosphere.fedoralegacy.org/logs/fedora-3-core/138-thunderbird-1.0.8-1.1.fc3.4.legacy/x86_64/thunderbird-1.0.8-1.1.fc3.4.legacy.x86_64.rpm


Thanks.

Comment 6 Marc Deslauriers 2006-05-26 01:49:03 UTC

Packages were pushed to updates-testing

Comment 7 Pekka Savola 2006-05-26 15:06:15 UTC

Timeout in 2 weeks.

Comment 8 David Eisenstein 2006-06-14 17:32:03 UTC

Timeout over.

Comment 9 David Eisenstein 2006-06-14 18:20:17 UTC

Created attachment 130899 [details]
Proposed Update advisory

Attached is a proposed update advisory for Thunderbird.

Comment 10 Marc Deslauriers 2006-06-30 13:40:21 UTC

Packages were released to updates.

Comment 11 David Eisenstein 2006-07-01 06:08:30 UTC

Thanks, Marc!  :)

Note You need to log in before you can comment on or make changes to this bug.