|
|
| Problem Description |
Updated Mozilla Thunderbird packages fix various vulnerabilities:
The run-mozilla.sh script, with debugging enabled, would allow local
users to create or overwrite arbitrary files via a symlink attack on
temporary files (CAN-2005-2353).
A bug in the way Thunderbird processes XBM images could be used to
execute arbitrary code via a specially crafted XBM image file
(CAN-2005-2701).
A bug in the way Thunderbird handles certain Unicode sequences could be
used to execute arbitrary code via viewing a specially crafted Unicode
sequence (CAN-2005-2702).
A bug in the way Thunderbird makes XMLHttp requests could be abused by
a malicious web page to exploit other proxy or server flaws from the
victim's machine; however, the default behaviour of the browser is to
disallow this (CAN-2005-2703).
A bug in the way Thunderbird implemented its XBL interface could be
abused by a malicious web page to create an XBL binding in such a way
as to allow arbitrary JavaScript execution with chrome permissions
(CAN-2005-2704).
An integer overflow in Thunderbird's JavaScript engine could be
manipulated in certain conditions to allow a malicious web page to
execute arbitrary code (CAN-2005-2705).
A bug in the way Thunderbird displays about: pages could be used to
execute JavaScript with chrome privileges (CAN-2005-2706).
A bug in the way Thunderbird opens new windows could be used by a
malicious web page to construct a new window without any user interface
elements (such as address bar and status bar) that could be used to
potentially mislead the user (CAN-2005-2707).
A bug in the way Thunderbird proceesed URLs on the command line could
be used to execute arbitary commands as the user running Thunderbird;
this could be abused by clicking on a supplied link, such as from an
instant messaging client (CAN-2005-2968).
Tom Ferris reported that Thunderbird would crash when processing a
domain name consisting solely of soft-hyphen characters due to a heap
overflow when IDN processing results in an empty string after removing
non-wrapping chracters, such as soft-hyphens. This could be exploited
to run or or install malware on the user's computer (CAN-2005-2871).
The updated packages have been patched to correct these issues.
| Updated Packages |
Mandriva Linux LE2005
f409c24fe8d4f732a99fff51f9223191 10.2/RPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.i586.rpm 18250e4ac4d580a595eaeb16fd3b0171 10.2/RPMS/mozilla-thunderbird-devel-1.0.2-5.1.102mdk.i586.rpm cbfb90b65746b4fbc0848ddbd01395bf 10.2/RPMS/mozilla-thunderbird-enigmail-1.0.2-5.1.102mdk.i586.rpm aa450bd7d1b82425eeef6506f90f5fb4 10.2/RPMS/mozilla-thunderbird-enigmime-1.0.2-5.1.102mdk.i586.rpm 5320178037176424f209415c3862d014 10.2/SRPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.src.rpm
Mandriva Linux LE2005/X86_64
07fa1df593b92831b9f6d1a32b0b3362 x86_64/10.2/RPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.x86_64.rpm ca26795c32146dd1ace798189588029f x86_64/10.2/RPMS/mozilla-thunderbird-devel-1.0.2-5.1.102mdk.x86_64.rpm 7757608ffe4e89d285bc001bdc8851cb x86_64/10.2/RPMS/mozilla-thunderbird-enigmail-1.0.2-5.1.102mdk.x86_64.rpm 8c386f18a449d78d3917dca387624933 x86_64/10.2/RPMS/mozilla-thunderbird-enigmime-1.0.2-5.1.102mdk.x86_64.rpm 5320178037176424f209415c3862d014 x86_64/10.2/SRPMS/mozilla-thunderbird-1.0.2-5.1.102mdk.src.rpm
Mandriva Linux 2006
af3330f345b3b92307550a57fb7efa80 2006.0/RPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.i586.rpm 9ad77bad0b6c6033e063ed21a8a2cb0b 2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.1.20060mdk.i586.rpm 141909e4e4676c0c8a5525a3e3eb921d 2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.1.20060mdk.i586.rpm b1db5880eb9ac8792a2f25e547343607 2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.src.rpm
Mandriva Linux 2006/X86_64
b7e7527e98969ff677e2caf013a84ab7 x86_64/2006.0/RPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.x86_64.rpm 87ca5eace6c6823cda7efac54ffe5945 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmail-1.0.6-7.1.20060mdk.x86_64.rpm 8305e439803991791ca1aff020877274 x86_64/2006.0/RPMS/mozilla-thunderbird-enigmime-1.0.6-7.1.20060mdk.x86_64.rpm b1db5880eb9ac8792a2f25e547343607 x86_64/2006.0/SRPMS/mozilla-thunderbird-1.0.6-7.1.20060mdk.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2701
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2702
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2968
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2871
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2353
http://www.mozilla.org/security/announce/mfsa2005-59.html
http://www.mozilla.org/security/announce/mfsa2005-58.html
http://www.mozilla.org/security/announce/mfsa2005-57.html
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.