=========================================================== 
Ubuntu Security Notice USN-647-1         September 26, 2008
mozilla-thunderbird, thunderbird vulnerabilities
CVE-2008-3835, CVE-2008-4058, CVE-2008-4059, CVE-2008-4060,
CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064,
CVE-2008-4065, CVE-2008-4066, CVE-2008-4067, CVE-2008-4068,
CVE-2008-4070
==========================================================
A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS
Ubuntu 7.04
Ubuntu 7.10
Ubuntu 8.04 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 6.06 LTS:
  mozilla-thunderbird             1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.6.06.1

Ubuntu 7.04:
  mozilla-thunderbird             1.5.0.13+1.5.0.15~prepatch080614g-0ubuntu0.7.04.1

Ubuntu 7.10:
  thunderbird                     2.0.0.17+nobinonly-0ubuntu0.7.10.1

Ubuntu 8.04 LTS:
  thunderbird                     2.0.0.17+nobinonly-0ubuntu0.8.04.1

After a standard system upgrade you need to restart Thunderbird to
effect the necessary changes.

Details follow:

It was discovered that the same-origin check in Thunderbird could
be bypassed. If a user had JavaScript enabled and were tricked into
opening a malicious website, an attacker may be able to execute
JavaScript in the context of a different website. (CVE-2008-3835)

Several problems were discovered in the browser engine of
Thunderbird. If a user had JavaScript enabled, this could allow an
attacker to execute code with chrome privileges. (CVE-2008-4058,
CVE-2008-4059, CVE-2008-4060)

Drew Yao, David Maciejak and other Mozilla developers found several
problems in the browser engine of Thunderbird. If a user had
JavaScript enabled and were tricked into opening a malicious web
page, an attacker could cause a denial of service or possibly
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2008-4061, CVE-2008-4062, CVE-2008-4063, CVE-2008-4064)

Dave Reed discovered a flaw in the JavaScript parsing code when
processing certain BOM characters. An attacker could exploit this
to bypass script filters and perform cross-site scripting attacks
if a user had JavaScript enabled. (CVE-2008-4065)

Gareth Heyes discovered a flaw in the HTML parser of Thunderbird. If
a user had JavaScript enabled and were tricked into opening a
malicious web page, an attacker could bypass script filtering and
perform cross-site scripting attacks. (CVE-2008-4066)

Boris Zbarsky and Georgi Guninski independently discovered flaws in
the resource: protocol. An attacker could exploit this to perform
directory traversal, read information about the system, and prompt
the user to save information in a file. (CVE-2008-4067,
CVE-2008-4068)

Georgi Guninski discovered that Thunderbird improperly handled
cancelled newsgroup messages. If a user opened a crafted newsgroup
message, an attacker could cause a buffer overrun and potentially
execute arbitrary code with the privileges of the user invoking the
program. (CVE-2008-4070)


Updated packages for Ubuntu 6.06 LTS:

  Source archives:

          Size/MD5:   457690 6d3b4e43ba967ab95fc6ad85fe595e12
          Size/MD5:     1688 9ed773039d32a90e73c6bd4e211f723e
          Size/MD5: 38029718 4ae446c58ccde45cb8f156b395968d2b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:  3593958 4f8eb1f994751de1541bd53c7b3f8236
          Size/MD5:   194972 9e89bd92215c471d5265d3866fdd8c52
          Size/MD5:    60218 b30948cbd58517559134ad18a0d7f95e
          Size/MD5: 12118598 f13001d92a989bc023fe16e3c02a0149

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:  3587744 9058cf1a1de1fc9ca54052768c46b7a9
          Size/MD5:   188392 d3ffb66f5bd3621fff5c9b648e01566b
          Size/MD5:    55726 d3e7a142fc1d26727b54c4d0751d6feb
          Size/MD5: 10391350 2b669a1e53d80a023d42f0e5aa00abcb

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:  3592892 65270c28e26302af25047b8524240d0f
          Size/MD5:   191696 96bb58a8aee5f4e5187a1785baf92707
          Size/MD5:    59376 fbd562af8142453c88ce1bd8fe2c5749
          Size/MD5: 11672836 ce1bcd19a1fa0a1004146034096d6944

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:  3589568 820731692c8f9302538f38cefaeac3f9
          Size/MD5:   189140 dac62e9cab6dee27d9f71500b77db030
          Size/MD5:    57212 06bc96f9d4826515ffe1f6c2099399d3
          Size/MD5: 10866068 15aa61ac5c6a4ad04b802a8db9c3c50a

Updated packages for Ubuntu 7.04:

  Source archives:

          Size/MD5:   126911 8ea6b26003fc64eeb6266772629a06bb
          Size/MD5:     2260 6b480908f2478bea5c1c92ca70899da4
          Size/MD5: 38029718 4ae446c58ccde45cb8f156b395968d2b

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:  3594046 b179d32e1e4fb334af16c7c680562078
          Size/MD5:   195620 2d1d0135ce5e16313208743178b3e375
          Size/MD5:    60724 e6331e4bd6ba56c6299b395b206f058a
          Size/MD5: 12215314 9dd393ff33240485e361c4afce069ee6

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:  3591778 b9c0987bf3fb49a829db450187058ffb
          Size/MD5:   190254 4ad088e82ed097ab26322d1d7a8c08b2
          Size/MD5:    57348 881b8d76656f5c206db67b0dbcc0bdc0
          Size/MD5: 10935830 cf0457713bd283f6fdf21a08191661c3

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:  3595060 607544786663ca4365a4a15f08d17bc6
          Size/MD5:   193738 bef4987b005a61012a6d3891807529dd
          Size/MD5:    60716 1364ae8b4391257f689280d75093ec47
          Size/MD5: 12154624 1a051b08628cf992ac43f00ab5200753

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:  3591080 437d27480cafbb8aa00563c2a4bd6534
          Size/MD5:   190082 6507d507a87bdccd42ba5fb3c507e5f8
          Size/MD5:    57790 dc866218dc88863fb3040262e928e0e8
          Size/MD5: 11163522 9c8107978e5bee0998527a612a7bdd01

Updated packages for Ubuntu 7.10:

  Source archives:

          Size/MD5:   125693 a74100031e75db6de34266b4599c463a
          Size/MD5:     2321 db7c9b3c79d8fa06d047864f19e80ad5
          Size/MD5: 37867495 28a872ebd677569f6f7e340f9a247f0e

  Architecture independent packages:

          Size/MD5:    60136 faf7e4834c6adb29da55b46a0539d195
          Size/MD5:    60120 1bcd9422bae0f739795bfda770019b28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:  3777582 abc4f04a77bfe002b59c5bc0d163bd66
          Size/MD5:    85302 b1e62bc9c1d417a70486e3bb9b29c5b4
          Size/MD5: 12427100 383709c0916344ff68f4f249dde26148

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:  3765864 5d2c0b0edc36c9385c4685b5e5d55c9e
          Size/MD5:    80652 756e753fea709cb6e18c4bb5f546ea01
          Size/MD5: 10996250 09ef12544ed1bf67fe158a2924bb16fd

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:  3763410 3ed2785a18d6bab7d011788e3272ff20
          Size/MD5:    80340 aff494deb2f9e0af8abb090c6ce706ce
          Size/MD5: 10833610 c055086b72752679c15534355ae9be9d

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:  3781224 ffed854520ee045553dcdc54a839177b
          Size/MD5:    83682 69652a9d04debe2b37a46389a1ad4aac
          Size/MD5: 12272036 4aa9bea60b4d60d3bf99d71145c1b067

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:  3763452 5ce7b29a1fdc99f4d1ca4f6a6cfe0899
          Size/MD5:    80068 23560fd6f7bd66dde0b5dcdcfcad7505
          Size/MD5: 11264638 8124ba427d9cde6eac0bca875cc794a3

Updated packages for Ubuntu 8.04 LTS:

  Source archives:

          Size/MD5:   129247 e95fcd549e87668b600192f2f3195f38
          Size/MD5:     2319 60a1b2f776937320cf4e7d50acc27139
          Size/MD5: 37867495 28a872ebd677569f6f7e340f9a247f0e

  Architecture independent packages:

          Size/MD5:    60438 e1843cd820549fee1bcd0e997114936c
          Size/MD5:    60420 98644c43ea64a3cfc2c545560e696510

  amd64 architecture (Athlon64, Opteron, EM64T Xeon):

          Size/MD5:  3778292 4181ea03dc4c8659765749cbba8b9762
          Size/MD5:    85326 e5e1e8b1bf39185e32e1a9dab2d5abe5
          Size/MD5: 12406704 3f337ee29d1e599892234c6498e7adeb

  i386 architecture (x86 compatible Intel/AMD):

          Size/MD5:  3766262 bc355ec8523a06281d8e7a39ebec5555
          Size/MD5:    80736 35a99547527b5833e4c597537c0a6735
          Size/MD5: 10980452 4f753d15f88aec49e0f5863800bd0f9f

  lpia architecture (Low Power Intel Architecture):

          Size/MD5:  3764020 b3d26cd80965e257e4286ac183050d4a
          Size/MD5:    80472 9cfedeebdb429441a86a10d1d3cb72fe
          Size/MD5: 10825106 d5840b4c610a85ce95c6db6ac5dda0a4

  powerpc architecture (Apple Macintosh G3/G4/G5):

          Size/MD5:  3782130 a573a11a88bea1659a35a41581ddfb56
          Size/MD5:    83724 b6d7bf90279f89083be54883f8642365
          Size/MD5: 12253850 83659b4e1b069bf705789552cfe2076c

  sparc architecture (Sun SPARC/UltraSPARC):

          Size/MD5:  3764312 5a529bff8198a3259b616dcd3ed7d25a
          Size/MD5:    80190 bdc98a74366eb558b4cb269f062d13dc
          Size/MD5: 11251876 f92509c8a34bf841a7ee67a1fdad176e

Ubuntu: Thunderbird vulnerabilities USN-647-1

September 25, 2008
It was discovered that the same-origin check in Thunderbird could be bypassed

Summary

Update Instructions

References

Severity
Ubuntu Security Notice USN-647-1 September 26, 2008

Package Information

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved