+++ This bug was initially created as a clone of Bug #230542 +++ The Mozilla project is releasing Thunderbird 1.5.0.10 to fix several flaws: mfsa2007-01 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0775 Jesse Ruderman, Martijn Wargers and Olli Pettay reported crashes in the layout engine CVE-2007-0777 Brian Crowder, Igor Bukanov, Johnny Stenback, moz_bug_r_a4 and shutdown reported potential memory corruption in the JavaScript engine mfsa2007-02 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0995 The Mozilla parser formerly ignored invalid trailing characters in HTML tag attribute names. This could in some cases be abused to evade web sites content filters that attempted to remove problematic attributes, such as event handlers, by matching against a regular expression that expected to find trailing whitespace or one of a small set of delimiters. CVE-2007-0996 Stefan Esser demonstrated that this could be used for XSS attacks against sites that accept user content and do not specify the character set or encoding used. CVE-2006-6077 MySpace users recently suffered a phishing attack where user-created content included a login form that appeared to be a normal MySpace login, but was altered to submit the data to an alternate site. Because the password form appeared on a MySpace page the Firefox password manager filled in the saved password, lending an air of legitimacy to the form. mfsa2007-03 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0778 Aad reported that two web pages can collide in the disk cache with the result that depending on order loaded the end of the longer document can be appended to the shorter when the shorter is reloaded from the cache. It is possible a determined hacker could construct a targeted attack to steal some sensitive data from a particular web page (for example, transaction history from a financial account). The potential victim would have to be already logged into the targetted service (or be fooled into doing so) and then visit the malicious site. mfsa2007-04 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0779 David Eckel reported that browser UI elements--such as the host name and security indicators--could be spoofed by using a large, mostly transparent, custom cursor and adjusting the CSS3 hotspot property so that the visible part of the cursor floated outside the browser content area. mfsa2007-05 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0780 shutdown reported that if you could convince a user to open a blocked popup you could perform a cross-site scripting attack against any site that contains a frame whose source is a data: URL. CVE-2007-0800 Michal Zalewski reported that although pages loaded from the web normally cannot open windows containing local files, if you could convince a user to open a blocked popup then this restriction could be bypassed. mfsa2007-06 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0008 CVE-2007-0009 iDefense has informed Mozilla about two potential buffer overflow vulnerabilities found by researcher regenrecht in the Network Security Services (NSS) code for processing the SSLv2 protocol. mfsa2007-07 impact=moderate,source=mozilla,reported=20070222,public=20070223 CVE-2007-0981 Michal Zalewski demonstrated that setting location.hostname to a value with embedded null characters can confuse the browsers domain checks. Setting the value triggers a load, but the networking software reads the hostname only up to the null character while other checks for "parent domain" start at the right and so can have a completely different idea of what the current host is.
mfsa2007-10 impact=moderate,source=mozilla,reported=20070222,public=20070302 Georgi Guninski discovered a potential integer overflow in the code that handles mail formatted as text/enhanced or text/richtext. This could in turn lead to a buffer overflow and potential code execution. To exploit this flaw a malicious mail message would have to include a line more than 400 megabytes long. Many mail systems have storage quotas and transport filters that would prevent a message of that size from reaching its destination, but should the message get through its size would provide more than sufficient space for a payload.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0108.html