Ubuntu Security Notice USN-701-2 - Several flaws were discovered in the Thunderbird browser engine. Boris Zbarsky discovered that the same-origin check in Thunderbird could be bypassed by utilizing XBL-bindings. Marius Schilder discovered that Thunderbird did not properly handle redirects to an outside domain when an XMLHttpRequest was made to a same-origin resource. Chris Evans discovered that Thunderbird did not properly protect a user's data when accessing a same-domain Javascript URL that is redirected to an unparsable Javascript off-site resource. Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered Thunderbird did not properly parse URLs when processing certain control characters. Several flaws were discovered in the Javascript engine.
b6cca8b4a0ada9843a17cd60ca12f09f4ce7f003175d38b562b60e18b3b1077d===========================================================
Ubuntu Security Notice USN-701-2 January 06, 2009
mozilla-thunderbird vulnerabilities
CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507,
CVE-2008-5508, CVE-2008-5511, CVE-2008-5512
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
mozilla-thunderbird 1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1
After a standard system upgrade you need to restart Thunderbird to effect
the necessary changes.
Details follow:
Several flaws were discovered in the browser engine. If a user had Javascript
enabled, these problems could allow an attacker to crash Thunderbird and
possibly execute arbitrary code with user privileges. (CVE-2008-5500)
Boris Zbarsky discovered that the same-origin check in Thunderbird could be
bypassed by utilizing XBL-bindings. If a user had Javascript enabled, an
attacker could exploit this to read data from other domains. (CVE-2008-5503)
Marius Schilder discovered that Thunderbird did not properly handle redirects
to an outside domain when an XMLHttpRequest was made to a same-origin resource.
When Javascript is enabled, it's possible that sensitive information could be
revealed in the XMLHttpRequest response. (CVE-2008-5506)
Chris Evans discovered that Thunderbird did not properly protect a user's data
when accessing a same-domain Javascript URL that is redirected to an unparsable
Javascript off-site resource. If a user were tricked into opening a malicious
website and had Javascript enabled, an attacker may be able to steal a limited
amount of private data. (CVE-2008-5507)
Chip Salzenberg, Justin Schuh, Tom Cross, and Peter William discovered
Thunderbird did not properly parse URLs when processing certain control
characters. (CVE-2008-5508)
Several flaws were discovered in the Javascript engine. If a user were tricked
into opening a malicious website and had Javascript enabled, an attacker could
exploit this to execute arbitrary Javascript code within the context of another
website or with chrome privileges. (CVE-2008-5511, CVE-2008-5512)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1.diff.gz
Size/MD5: 457871 6708c462f15f2f2a6baff4e29c89f30a
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1.dsc
Size/MD5: 1050 afa2249f6dc30aab41be123a9dc4ee37
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i.orig.tar.gz
Size/MD5: 38496066 4cfc246095c4d0aed823957286b3d78e
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 3594116 be08ab02c9d79056d6633df8204ac697
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 195036 3388af5706c609fd857af0b4c83baaaf
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 60284 e48244b6f33777de63390a186f00a587
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_amd64.deb
Size/MD5: 12121434 1874cff31d6f97f46d44b7912d8a209e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 3587984 87ca4cd810a3aef5f0031f87fe2b4093
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 188476 6067997901bf2298f86f154ed75605de
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 55808 9223b79d4b57a4288723fb9247f09016
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_i386.deb
Size/MD5: 10391474 2dae030db3d78d5eeea2d2b262017083
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 3593172 2ca154973ea6df8fb00cac0f50e791a8
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 191762 81d133d1bfeb70d377692fd49d5ea9c1
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 59440 bbc9361554b79c69d08ac62b79508199
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_powerpc.deb
Size/MD5: 11676430 300ce0fabdf9530f0a4a748755deb9be
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-dev_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 3589802 4851d549ab3f7b89eb130435941b145a
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-inspector_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 189224 6f81dcb50c903107106edf511564f82b
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird-typeaheadfind_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 57298 06ba7f5f613f0d28457ac9c89366e4a5
http://security.ubuntu.com/ubuntu/pool/main/m/mozilla-thunderbird/mozilla-thunderbird_1.5.0.13+1.5.0.15~prepatch080614i-0ubuntu0.6.06.1_sparc.deb
Size/MD5: 10869132 496a8efbcdbdf4e709c58aa4101d2d62
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed