USN-329-1: Thunderbird vulnerabilities

29 July 2006

Thunderbird vulnerabilities

Releases

Details

Various flaws have been reported that allow an attacker to execute
arbitrary code with user privileges by tricking the user into opening
a malicious email containing JavaScript. Please note that JavaScript
is disabled by default for emails, and it is not recommended to enable
it. (CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805,
CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3810,
CVE-2006-3811, CVE-2006-3812)

A buffer overflow has been discovered in the handling of .vcard files.
By tricking a user into importing a malicious vcard into his contacts,
this could be exploited to execute arbitrary code with the user's
privileges. (CVE-2006-3084)

The "enigmail" plugin has been updated to work with the new
Thunderbird version.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 6.06
  • mozilla-thunderbird - 1.5.0.5-0ubuntu0.6.06
  • mozilla-thunderbird-enigmail - 2:0.94-0ubuntu4.2

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Please note that Thunderbird 1.0.8 in Ubuntu 5.10 and Ubuntu 5.04 are
also affected by these problems. Updates for these Ubuntu releases
will be delayed due to upstream dropping support for this Thunderbird
version. We strongly advise that you disable JavaScript to disable the
attack vectors for most vulnerabilities if you use one of these Ubuntu
versions.

Related notices

  • USN-327-1: firefox
  • USN-350-1: mozilla-thunderbird-locale-de, mozilla-thunderbird, mozilla-thunderbird-enigmail, mozilla-thunderbird-locale-it, mozilla-thunderbird-inspector, mozilla-thunderbird-typeaheadfind, mozilla-thunderbird-locale-ca, mozilla-thunderbird-locale-uk, mozilla-thunderbird-locale-pl, mozilla-thunderbird-locale-nl, mozilla-thunderbird-locale-fr
  • USN-361-1: mozilla-mailnews, libnss3, libnspr4, mozilla-browser, mozilla-psm