=========================================================== Ubuntu Security Notice USN-297-1 June 13, 2006 mozilla-thunderbird vulnerabilities CVE-2006-2775, CVE-2006-2776, CVE-2006-2778, CVE-2006-2779, CVE-2006-2780, CVE-2006-2781, CVE-2006-2783, CVE-2006-2786, CVE-2006-2787 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: mozilla-thunderbird 1.5.0.4-0ubuntu6.06 mozilla-thunderbird-enigmail 2:0.94-0ubuntu4.1 After a standard system upgrade you need to restart Thunderbird to effect the necessary changes. Please note that Thunderbird 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are also affected by these problems. Updates for these Ubuntu releases will be delayed due to upstream dropping support for this Thunderbird version. We strongly advise that you disable JavaScript to disable the attack vectors for most vulnerabilities if you use one of these Ubuntu versions. Details follow: Jonas Sicking discovered that under some circumstances persisted XUL attributes are associated with the wrong URL. A malicious web site could exploit this to execute arbitrary code with the privileges of the user. (MFSA 2006-35, CVE-2006-2775) Paul Nickerson discovered that content-defined setters on an object prototype were getting called by privileged UI code. It was demonstrated that this could be exploited to run arbitrary web script with full user privileges (MFSA 2006-37, CVE-2006-2776). Mikolaj Habryn discovered a buffer overflow in the crypto.signText() function. By sending an email with malicious JavaScript to an user, and that user enabled JavaScript in Thunderbird (which is not the default and not recommended), this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-38, CVE-2006-2778) The Mozilla developer team discovered several bugs that lead to crashes with memory corruption. These might be exploitable by malicious web sites to execute arbitrary code with the privileges of the user. (MFSA 2006-32, CVE-2006-2779, CVE-2006-2780) Masatoshi Kimura discovered a memory corruption (double-free) when processing a large VCard with invalid base64 characters in it. By sending a maliciously crafted set of VCards to a user, this could potentially be exploited to execute arbitrary code with the user's privileges. (MFSA 2006-40, CVE-2006-2781) Masatoshi Kimura found a way to bypass web input sanitizers which filter out JavaScript. By inserting 'Unicode Byte-order-Mark (BOM)' characters into the HTML code (e. g. ''), these filters might not recognize the tags anymore; however, Thunderbird would still execute them since BOM markers are filtered out before processing a mail containing JavaScript. (MFSA 2006-42, CVE-2006-2783) Kazuho Oku discovered various ways to perform HTTP response smuggling when used with certain proxy servers. Due to different interpretation of nonstandard HTTP headers in Thunderbird and the proxy server, a malicious HTML email can exploit this to send back two responses to one request. The second response could be used to steal login cookies or other sensitive data from another opened web site. (MFSA 2006-33, CVE-2006-2786) It was discovered that JavaScript run via EvalInSandbox() can escape the sandbox. Malicious scripts received in emails containing JavaScript could use these privileges to execute arbitrary code with the user's privileges. (MFSA 2006-31, CVE-2006-2787) The "enigmail" plugin has been updated to work with the new Thunderbird version. Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.4-0ubuntu6.06.diff.gz Size/MD5: 454199 909966693eff8a078ba864ad117ce739 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.4-0ubuntu6.06.dsc Size/MD5: 958 e4f852b4bab77b9623cc341c20bc09d9 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.4.orig.tar.gz Size/MD5: 35231284 243305d4d6723a45fcb1028caa3abca6 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu4.1.diff.gz Size/MD5: 20665 cdfe87eb65540f718072e34e02934992 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94-0ubuntu4.1.dsc Size/MD5: 782 8fb6b5df3c43f49a66ccf53ba5668b30 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/enigmail_0.94.orig.tar.gz Size/MD5: 3126659 7e34cbe51f5a1faca2e26fa0edfd6a06 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.4-0ubuntu6.06_amd64.deb Size/MD5: 3524682 33dc00f09c6696c30931de5d6ac3c0a4 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.4-0ubuntu6.06_amd64.deb Size/MD5: 193242 b8590336a65d0291a23f867b82b26c3f http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.4-0ubuntu6.06_amd64.deb Size/MD5: 58462 b01403276bf1092b1ccf0cad7baa72f9 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.4-0ubuntu6.06_amd64.deb Size/MD5: 11962546 0ddac2ea690038906b1ffcd6344b7f39 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.1_amd64.deb Size/MD5: 335026 b1b887ea96c5e241bbe5467ff496afbc i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.4-0ubuntu6.06_i386.deb Size/MD5: 3516762 0d23ea5ccb664172eae44f152e68ccea http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.4-0ubuntu6.06_i386.deb Size/MD5: 186610 53006a42e988e1f6094c3205a94a70ec http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.4-0ubuntu6.06_i386.deb Size/MD5: 53966 d30216cff318235c7111983113c55f0e http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.4-0ubuntu6.06_i386.deb Size/MD5: 10269436 515e159ef36b150458d9fe96a839fab1 http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.1_i386.deb Size/MD5: 322588 8f6e39daed993d2f8aec8fd50878847d powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.4-0ubuntu6.06_powerpc.deb Size/MD5: 3521642 e1ac4e93a87b4ddaa6176da12c927884 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.4-0ubuntu6.06_powerpc.deb Size/MD5: 189958 6eae0743502e13782001bc3979388e83 http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.4-0ubuntu6.06_powerpc.deb Size/MD5: 57556 660594aff823a3a77abeb2ee87693c4c http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.4-0ubuntu6.06_powerpc.deb Size/MD5: 11536352 128dbafe11cebc0b64233272e351be9c http://security.ubuntu.com/ubuntu/pool/main/e/enigmail/mozilla-thunderbird-enigmail_0.94-0ubuntu4.1_powerpc.deb Size/MD5: 326082 5f737efbb2625db219376e7ade40a731