USN-276-1: Thunderbird vulnerabilities
03 May 2006
declare some temporary variables. Under some rare circumstances, a
arbitrary code with the privileges of the user. (CVE-2006-0292,
The function XULDocument.persist() did not sufficiently validate the
names of attributes. An attacker could exploit this to inject
arbitrary XML code into the file 'localstore.rdf', which is read and
would be run with the user's privileges. (CVE-2006-0296)
Due to a flaw in the HTML tag parser a specific sequence of HTML tags
caused memory corruption. A malicious HTML email could exploit this to
crash the browser or even execute arbitrary code with the user's
An invalid ordering of table-related tags caused Thunderbird to use a
negative array index. A malicious HTML email could exploit this to
execute arbitrary code with the privileges of the user.
Georgi Guninski discovered that forwarding mail in-line while using
the email message. Forwarding mail in-line is not the default setting
but it is easily accessed through the "Forward As" menu item.
As a privacy measure to prevent senders (primarily spammers) from
tracking when email is read Thunderbird does not load remote content
referenced from an HTML mail message until a user tells it to do so.
This normally includes the content of frames and CSS files. It was
discovered that it was possible to bypass this restriction by
indirectly including remote content through an intermediate inline CSS
script or frame. (CVE-2006-1045)
Georgi Guninski discovered that embedded XBL scripts could escalate
their (normally reduced) privileges to get full privileges of the user
if the email is viewed with "Print Preview". (CVE-2006-1727)
The crypto.generateCRMFRequest() function had a flaw which could be
exploited to run arbitrary code with the user's privileges.
An integer overflow was detected in the handling of the CSS property
"letter-spacing". A malicious HTML email could exploit this to run
arbitrary code with the user's privileges. (CVE-2006-1730)
The methods valueOf.call() and .valueOf.apply() returned an object
whose privileges were not properly confined to those of the caller,
which made them vulnerable to cross-site scripting attacks. A
modify the contents or steal confidential data (such as passwords)
from other opened web pages. (CVE-2006-1731) The window.controllers
array variable (CVE-2006-1732) and event handlers (CVE-2006-1741) were
vulnerable to a similar attack.
The privileged built-in XBL bindings were not fully protected from web
content and could be accessed by calling valueOf.call() and
valueOf.apply() on a method of that binding. A malicious email could
It was possible to use the Object.watch() method to access an internal
function object (the "clone parent"). A malicious email containing
user's privileges. (CVE-2006-1734)
By calling the XBL.method.eval() method in a special way it was
the wrong privileges. A malicious email could exploit this to execute
Several crashes have been fixed which could be triggered by specially
crafted HTML content and involve memory corruption. These could
potentially be exploited to execute arbitrary code with the user's
privileges. (CVE-2006-1737, CVE-2006-1738, CVE-2006-1739,
The "enigmail" plugin has been updated to work with the new
Thunderbird and Mozilla versions.
The problem can be corrected by updating your system to the following package versions:
In general, a standard system update will make all the necessary changes.