GLSA-200507-17 : Mozilla Thunderbird: Multiple vulnerabilities

This script is Copyright (C) 2005-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200507-17
(Mozilla Thunderbird: Multiple vulnerabilities)

The following vulnerabilities were found and fixed in Mozilla
Thunderbird:
'moz_bug_r_a4' and 'shutdown' discovered
that Thunderbird was improperly cloning base objects (MFSA
2005-56).
'moz_bug_r_a4' also reported that Thunderbird was
overly trusting contents, allowing privilege escalation via property
overrides (MFSA 2005-41, 2005-44), that it failed to validate XHTML DOM
nodes properly (MFSA 2005-55), and that XBL scripts ran even when
JavaScript is disabled (MFSA 2005-46).
'shutdown' discovered a
possibly exploitable crash in InstallVersion.compareTo (MFSA
2005-50).
Andreas Sandblad from Secunia reported that a child
frame can call top.focus() even if the framing page comes from a
different origin and has overridden the focus() routine (MFSA
2005-52).
Georgi Guninski reported missing Install object
instance checks in the native implementations of XPInstall-related
JavaScript objects (MFSA 2005-40).
Finally, Vladimir V.
Perepelitsa discovered a memory disclosure bug in JavaScript's regular
expression string replacement when using an anonymous function as the
replacement argument (CAN-2005-0989 and MFSA 2005-33).

Impact :

A remote attacker could craft malicious email messages that would
leverage these issues to inject and execute arbitrary script code with
elevated privileges or help in stealing information.

Workaround :

There are no known workarounds for all the issues at this time.

See also :

http://www.nessus.org/u?92848d5a
http://www.gentoo.org/security/en/glsa/glsa-200507-17.xml

Solution :

All Mozilla Thunderbird users should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-1.0.5'
All Mozilla Thunderbird binary users should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-bin-1.0.5'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 19222 (gentoo_GLSA-200507-17.nasl)

Bugtraq ID:

CVE ID: CVE-2005-0989