USN-276-1: Thunderbird vulnerabilities

3 May 2006

Thunderbird vulnerabilities

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Details

Igor Bukanov discovered that the JavaScript engine did not properly
declare some temporary variables. Under some rare circumstances, a
malicious mail with embedded JavaScript could exploit this to execute
arbitrary code with the privileges of the user. (CVE-2006-0292,
CVE-2006-1742)

The function XULDocument.persist() did not sufficiently validate the
names of attributes. An attacker could exploit this to inject
arbitrary XML code into the file 'localstore.rdf', which is read and
evaluated at startup. This could include JavaScript commands that
would be run with the user's privileges. (CVE-2006-0296)

Due to a flaw in the HTML tag parser a specific sequence of HTML tags
caused memory corruption. A malicious HTML email could exploit this to
crash the browser or even execute arbitrary code with the user's
privileges. (CVE-2006-0748)

An invalid ordering of table-related tags caused Thunderbird to use a
negative array index. A malicious HTML email could exploit this to
execute arbitrary code with the privileges of the user.
(CVE-2006-0749)

Georgi Guninski discovered that forwarding mail in-line while using
the default HTML "rich mail" editor executed JavaScript embedded in
the email message. Forwarding mail in-line is not the default setting
but it is easily accessed through the "Forward As" menu item.
(CVE-2006-0884)

As a privacy measure to prevent senders (primarily spammers) from
tracking when email is read Thunderbird does not load remote content
referenced from an HTML mail message until a user tells it to do so.
This normally includes the content of frames and CSS files. It was
discovered that it was possible to bypass this restriction by
indirectly including remote content through an intermediate inline CSS
script or frame. (CVE-2006-1045)

Georgi Guninski discovered that embedded XBL scripts could escalate
their (normally reduced) privileges to get full privileges of the user
if the email is viewed with "Print Preview". (CVE-2006-1727)

The crypto.generateCRMFRequest() function had a flaw which could be
exploited to run arbitrary code with the user's privileges.
(CVE-2006-1728)

An integer overflow was detected in the handling of the CSS property
"letter-spacing". A malicious HTML email could exploit this to run
arbitrary code with the user's privileges. (CVE-2006-1730)

The methods valueOf.call() and .valueOf.apply() returned an object
whose privileges were not properly confined to those of the caller,
which made them vulnerable to cross-site scripting attacks. A
malicious email with embedded JavaScript code could exploit this to
modify the contents or steal confidential data (such as passwords)
from other opened web pages. (CVE-2006-1731) The window.controllers
array variable (CVE-2006-1732) and event handlers (CVE-2006-1741) were
vulnerable to a similar attack.

The privileged built-in XBL bindings were not fully protected from web
content and could be accessed by calling valueOf.call() and
valueOf.apply() on a method of that binding. A malicious email could
exploit this to run arbitrary JavaScript code with the user's
privileges. (CVE-2006-1733)

It was possible to use the Object.watch() method to access an internal
function object (the "clone parent"). A malicious email containing
JavaScript code could exploit this to execute arbitrary code with the
user's privileges. (CVE-2006-1734)

By calling the XBL.method.eval() method in a special way it was
possible to create JavaScript functions that would get compiled with
the wrong privileges. A malicious email could exploit this to execute
arbitrary JavaScript code with the user's privileges. (CVE-2006-1735)

Several crashes have been fixed which could be triggered by specially
crafted HTML content and involve memory corruption. These could
potentially be exploited to execute arbitrary code with the user's
privileges. (CVE-2006-1737, CVE-2006-1738, CVE-2006-1739,
CVE-2006-1790)

The "enigmail" plugin has been updated to work with the new
Thunderbird and Mozilla versions.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 5.10
  • mozilla-thunderbird -
Ubuntu 5.04
  • mozilla-thunderbird -

In general, a standard system update will make all the necessary changes.

Related notices