+++ This bug was initially created as a clone of Bug #196973 +++ These issues will remain unfixed in Thunderbird until we upgrade to Thunderbird 1.5. They are not additional issues, simply problems which are fixed as part of the upgrade. CVE-2006-2777 MFSA 2006-43 CVE-2006-2776 MFSA 2006-37 CVE-2006-2784 MFSA 2006-36 CVE-2006-2785 MFSA 2006-34 CVE-2006-2787 MFSA 2006-31 Several flaws were found in the way Thunderbird processes certain javascript actions. A malicious HTML mail could execute arbitrary javascript instructions with the permissions of "chrome", allowing the mail to steal sensitive information or install client malware. Please note that javascript is disabled by default in Thunderbird. CVE-2006-2783 MFSA 2006-42 A cross site scripting flaw was found in the way Thunderbird processes Unicode Byte-order-Mark (BOM) markers in UTF-8 HTML email. A malicious HTML mail message could execute a script within the browser that a web input sanitizer could miss due to a malformed "script" tag. CVE-2006-2782 MFSA 2006-41 A form file upload flaw was found in the way Thunderbird handles javascript input object mutation. A malicious HTML mail message could upload an arbitrary local file at form submission time without user interaction. CVE-2006-2778 MFSA 2006-38 A denial of service flaw was found in the way Thunderbird calls the crypto.signText() javascript function. A malicious HTML mail message could crash the mail client if the victim had a client certificate loaded. CVE-2006-2786 MFSA 2006-33 Two HTTP response smuggling flaws were found in the way Thunderbird processes certain invalid HTTP response headers. A malicious web server could return specially crafted HTTP response headers which may bypass HTTP proxy restrictions. CVE-2006-2788 A double free flaw was found in the way the nsIX509::getRawDER method is called. If a victim views a carefully crafted HTML mail it is possible to execute arbitrary code as the user running Mozilla. (CVE-2006-2788)
These additional issues are being tracked via this bug Text stolen from MITRE: CVE-2006-2781 Double-free vulnerability in Mozilla Thunderbird before 1.5.0.4 and SeaMonkey before 1.0.2 allows remote attackers to cause a denial of service (hang) and possibly execute arbitrary code via a VCard that contains invalid base64 characters. CVE-2006-2779 Mozilla Firefox and Thunderbird before 1.5.0.4 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) nested <option> tags in a select tag, (2) a DOMNodeRemoved mutation event, (3) "Content-implemented tree views," (4) BoxObjects, (5) the XBL implementation, (6) an iframe that attempts to remove itself, which leads to memory corruption. -- Additional comment from bressers on 2006-07-12 10:54 EST -- CVE-2006-2780 Integer overflow in Mozilla Firefox and Thunderbird before 1.5.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via "jsstr tagify," which leads to memory corruption.
CVE-2006-2777 is now being tracked via bug 198934
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0611.html