Heap-based buffer overflow in Mozilla Thunderbird before 2.0.0.12 and SeaMonkey before 1.1.8 might allow remote attackers to execute arbitrary code via a crafted external-body MIME type in an e-mail message, related to an incorrect memory allocation during message preview.

From Red Hat Security Advisory 2008:0105 :

Updated thunderbird packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 27th February 2008] The erratum text has been updated to include the details of additional issues that were fixed by these erratum packages, but which were not public at the time of release. No changes have been made to the packages.

Mozilla Thunderbird is a standalone mail and newsgroup client.

A heap-based buffer overflow flaw was found in the way Thunderbird processed messages with external-body Multipurpose Internet Message Extensions (MIME) types. A HTML mail message containing malicious content could cause Thunderbird to execute arbitrary code as the user running Thunderbird. (CVE-2008-0304)

Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. A HTML mail message containing malicious content could cause Thunderbird to crash, or potentially execute arbitrary code as the user running Thunderbird. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way Thunderbird displayed malformed HTML mail content. A HTML mail message containing specially crafted content could trick a user into surrendering sensitive information.
(CVE-2008-0420, CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way Thunderbird handles certain chrome URLs.
If a user has certain extensions installed, it could allow a malicious HTML mail message to steal sensitive session data. Note: this flaw does not affect a default installation of Thunderbird. (CVE-2008-0418)

Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled.

A flaw was found in the way Thunderbird saves certain text files. If a remote site offers a file of type 'plain/text', rather than 'text/plain', Thunderbird will not show future 'text/plain' content to the user, forcing them to save those files locally to view the content. (CVE-2008-0592)

Users of thunderbird are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

From Red Hat Security Advisory 2008:0104 :

Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.

Several flaws were found in the way SeaMonkey processed certain malformed web content. A webpage containing malicious content could cause SeaMonkey to crash, or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way SeaMonkey displayed malformed web content. A webpage containing specially crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way SeaMonkey stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417)

A flaw was found in the way SeaMonkey handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of SeaMonkey. (CVE-2008-0418)

A flaw was found in the way SeaMonkey saves certain text files. If a website offers a file of type 'plain/text', rather than 'text/plain', SeaMonkey will not show future 'text/plain' content to the user in the browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)

Users of SeaMonkey are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

USN-582-1 fixed several vulnerabilities in Thunderbird. The upstream fixes were incomplete, and after performing certain actions Thunderbird would crash due to memory errors. This update fixes the problem.

We apologize for the inconvenience.

It was discovered that Thunderbird did not properly set the size of a buffer when parsing an external-body MIME-type. If a user were to open a specially crafted email, an attacker could cause a denial of service via application crash or possibly execute arbitrary code as the user.
(CVE-2008-0304)

Various flaws were discovered in Thunderbird and its JavaScript engine. By tricking a user into opening a malicious message, an attacker could execute arbitrary code with the user's privileges. (CVE-2008-0412, CVE-2008-0413)

Various flaws were discovered in the JavaScript engine. By tricking a user into opening a malicious message, an attacker could escalate privileges within Thunderbird, perform cross-site scripting attacks and/or execute arbitrary code with the user's privileges. (CVE-2008-0415)

Gerry Eisenhaur discovered that the chrome URI scheme did not properly guard against directory traversal. Under certain circumstances, an attacker may be able to load files or steal session data. Ubuntu is not vulnerable in the default installation. (CVE-2008-0418)

Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A number of security vulnerabilities have been discovered and corrected in the latest Mozilla Thunderbird program, version 2.0.0.12.

This update provides the latest Thunderbird to correct these issues.

Several remote vulnerabilities have been discovered in Iceape an unbranded version of the SeaMonkey internet suite. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-0016     Justin Schuh, Tom Cross and Peter Williams discovered a     buffer overflow in the parser for UTF-8 URLs, which may     lead to the execution of arbitrary code. (MFSA 2008-37)

  - CVE-2008-0304     It was discovered that a buffer overflow in MIME     decoding can lead to the execution of arbitrary code.
    (MFSA 2008-26)

  - CVE-2008-2785     It was discovered that missing boundary checks on a     reference counter for CSS objects can lead to the     execution of arbitrary code. (MFSA 2008-34)

  - CVE-2008-2798     Devon Hubbard, Jesse Ruderman and Martijn Wargers     discovered crashes in the layout engine, which might     allow the execution of arbitrary code. (MFSA 2008-21)

  - CVE-2008-2799     Igor Bukanov, Jesse Ruderman and Gary Kwong discovered     crashes in the JavaScript engine, which might allow the     execution of arbitrary code. (MFSA 2008-21)

  - CVE-2008-2800     'moz_bug_r_a4' discovered several cross-site scripting     vulnerabilities. (MFSA 2008-22)

  - CVE-2008-2801     Collin Jackson and Adam Barth discovered that JavaScript     code could be executed in the context or signed JAR     archives. (MFSA 2008-23)

  - CVE-2008-2802     'moz_bug_r_a4' discovered that XUL documements can     escalate privileges by accessing the pre-compiled     'fastload' file. (MFSA 2008-24)

  - CVE-2008-2803     'moz_bug_r_a4' discovered that missing input sanitising     in the mozIJSSubScriptLoader.loadSubScript() function     could lead to the execution of arbitrary code. Iceape     itself is not affected, but some addons are. (MFSA     2008-25)

  - CVE-2008-2805     Claudio Santambrogio discovered that missing access     validation in DOM parsing allows malicious websites to     force the browser to upload local files to the server,     which could lead to information disclosure. (MFSA     2008-27)

  - CVE-2008-2807     Daniel Glazman discovered that a programming error in     the code for parsing .properties files could lead to     memory content being exposed to addons, which could lead     to information disclosure. (MFSA 2008-29)

  - CVE-2008-2808     Masahiro Yamada discovered that file URLs in directory     listings were insufficiently escaped. (MFSA 2008-30)

  - CVE-2008-2809     John G. Myers, Frank Benkstein and Nils Toedtmann     discovered that alternate names on self-signed     certificates were handled insufficiently, which could     lead to spoofings of secure connections. (MFSA 2008-31)

  - CVE-2008-2810     It was discovered that URL shortcut files could be used     to bypass the same-origin restrictions. This issue does     not affect current Iceape, but might occur with     additional extensions installed. (MFSA 2008-32)

  - CVE-2008-2811     Greg McManus discovered a crash in the block reflow     code, which might allow the execution of arbitrary code.
    (MFSA 2008-33)

  - CVE-2008-2933     Billy Rios discovered that passing an URL containing a     pipe symbol to Iceape can lead to Chrome privilege     escalation. (MFSA 2008-35)

  - CVE-2008-3835     'moz_bug_r_a4' discovered that the same-origin check in     nsXMLDocument::OnChannelRedirect() could be bypassed.
    (MFSA 2008-38)

  - CVE-2008-3836     'moz_bug_r_a4' discovered that several vulnerabilities     in feedWriter could lead to Chrome privilege escalation.
    (MFSA 2008-39)

  - CVE-2008-3837     Paul Nickerson discovered that an attacker could move     windows during a mouse click, resulting in unwanted     action triggered by drag-and-drop. (MFSA 2008-40)

  - CVE-2008-4058     'moz_bug_r_a4' discovered a vulnerability which can     result in Chrome privilege escalation through     XPCNativeWrappers. (MFSA 2008-41)

  - CVE-2008-4059     'moz_bug_r_a4' discovered a vulnerability which can     result in Chrome privilege escalation through     XPCNativeWrappers. (MFSA 2008-41)

  - CVE-2008-4060     Olli Pettay and 'moz_bug_r_a4' discovered a Chrome     privilege escalation vulnerability in XSLT handling.
    (MFSA 2008-41)

  - CVE-2008-4061     Jesse Ruderman discovered a crash in the layout engine,     which might allow the execution of arbitrary code. (MFSA     2008-42)

  - CVE-2008-4062     Igor Bukanov, Philip Taylor, Georgi Guninski and Antoine     Labour discovered crashes in the JavaScript engine,     which might allow the execution of arbitrary code. (MFSA     2008-42)

  - CVE-2008-4065     Dave Reed discovered that some Unicode byte order marks     are stripped from JavaScript code before execution,     which can result in code being executed, which were     otherwise part of a quoted string. (MFSA 2008-43)

  - CVE-2008-4067     Boris Zbarsky discovered that resource: URLs allow     directory traversal when using URL-encoded slashes.
    (MFSA 2008-44)

  - CVE-2008-4068     Georgi Guninski discovered that resource: URLs could     bypass local access restrictions. (MFSA 2008-44)

  - CVE-2008-4069     Billy Hoffman discovered that the XBM decoder could     reveal uninitialised memory. (MFSA 2008-45)

  - CVE-2008-4070     It was discovered that a buffer overflow could be     triggered via a long header in a news article, which     could lead to arbitrary code execution. (MFSA 2008-46)

  - CVE-2008-5012     Georgi Guninski, Michal Zalewski and Chris Evan     discovered that the canvas element could be used to     bypass same-origin restrictions. (MFSA 2008-48)

  - CVE-2008-5013     It was discovered that insufficient checks in the Flash     plugin glue code could lead to arbitrary code execution.
    (MFSA 2008-49)

  - CVE-2008-5014     Jesse Ruderman discovered that a programming error in     the window.__proto__.__proto__ object could lead to     arbitrary code execution. (MFSA 2008-50)

  - CVE-2008-5017     It was discovered that crashes in the layout engine     could lead to arbitrary code execution. (MFSA 2008-52)

  - CVE-2008-0017     Justin Schuh discovered that a buffer overflow in     http-index-format parser could lead to arbitrary code     execution. (MFSA 2008-54)

  - CVE-2008-5021     It was discovered that a crash in the nsFrameManager     might lead to the execution of arbitrary code. (MFSA     2008-55)

  - CVE-2008-5022     'moz_bug_r_a4' discovered that the same-origin check in     nsXMLHttpRequest::NotifyEventListeners() could be     bypassed. (MFSA 2008-56)

  - CVE-2008-5024     Chris Evans discovered that quote characters were     improperly escaped in the default namespace of E4X     documents. (MFSA 2008-58)

  - CVE-2008-4582     Liu Die Yu discovered an information leak through local     shortcut files. (MFSA 2008-59)

  - CVE-2008-5500     Jesse Ruderman discovered that the layout engine is     vulnerable to DoS attacks that might trigger memory     corruption and an integer overflow. (MFSA 2008-60)

  - CVE-2008-5503     Boris Zbarsky discovered that an information disclosure     attack could be performed via XBL bindings. (MFSA     2008-61)

  - CVE-2008-5506     Marius Schilder discovered that it is possible to obtain     sensible data via a XMLHttpRequest. (MFSA 2008-64)

  - CVE-2008-5507     Chris Evans discovered that it is possible to obtain     sensible data via a JavaScript URL. (MFSA 2008-65)

  - CVE-2008-5508     Chip Salzenberg discovered possible phishing attacks via     URLs with leading whitespaces or control characters.
    (MFSA 2008-66)

  - CVE-2008-5511     It was discovered that it is possible to perform     cross-site scripting attacks via an XBL binding to an     'unloaded document.' (MFSA 2008-68)

  - CVE-2008-5512     It was discovered that it is possible to run arbitrary     JavaScript with chrome privileges via unknown vectors.
    (MFSA 2008-68)

Several remote vulnerabilities have been discovered in the Icedove mail client, an unbranded version of the Thunderbird client. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-0304     It was discovered that a buffer overflow in MIME     decoding can lead to the execution of arbitrary code.

  - CVE-2008-2785     It was discovered that missing boundary checks on a     reference counter for CSS objects can lead to the     execution of arbitrary code.

  - CVE-2008-2798     Devon Hubbard, Jesse Ruderman and Martijn Wargers     discovered crashes in the layout engine, which might     allow the execution of arbitrary code.

  - CVE-2008-2799     Igor Bukanov, Jesse Ruderman and Gary Kwong discovered     crashes in the JavaScript engine, which might allow the     execution of arbitrary code.

  - CVE-2008-2802     'moz_bug_r_a4' discovered that XUL documents can     escalate privileges by accessing the pre-compiled     'fastload' file.

  - CVE-2008-2803     'moz_bug_r_a4' discovered that missing input sanitising     in the mozIJSSubScriptLoader.loadSubScript() function     could lead to the execution of arbitrary code. Iceweasel     itself is not affected, but some addons are.

  - CVE-2008-2807     Daniel Glazman discovered that a programming error in     the code for parsing .properties files could lead to     memory content being exposed to addons, which could lead     to information disclosure.

  - CVE-2008-2809     John G. Myers, Frank Benkstein and Nils Toedtmann     discovered that alternate names on self-signed     certificates were handled insufficiently, which could     lead to spoofings secure connections.

  - CVE-2008-2811     Greg McManus discovered discovered a crash in the block     reflow code, which might allow the execution of     arbitrary code.

Various flaws were discovered in the browser engine. If a user had JavaScript enabled and were tricked into opening a malicious web page, an attacker could cause a denial of service via application crash, or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2798, CVE-2008-2799)

It was discovered that Thunderbird would allow non-privileged XUL documents to load chrome scripts from the fastload file if JavaScript was enabled. This could allow an attacker to execute arbitrary JavaScript code with chrome privileges. (CVE-2008-2802)

A flaw was discovered in Thunderbird that allowed overwriting trusted objects via mozIJSSubScriptLoader.loadSubScript(). If a user had JavaScript enabled and was tricked into opening a malicious web page, an attacker could execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2803)

Daniel Glazman found that an improperly encoded .properties file in an add-on can result in uninitialized memory being used. If a user were tricked into installing a malicious add-on, Thunderbird may be able to see data from other programs. (CVE-2008-2807)

John G. Myers discovered a weakness in the trust model used by Thunderbird regarding alternate names on self-signed certificates. If a user were tricked into accepting a certificate containing alternate name entries, an attacker could impersonate another server.
(CVE-2008-2809)

A vulnerability was discovered in the block reflow code of Thunderbird. If a user enabled JavaScript, this vulnerability could be used by an attacker to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2811)

A flaw was discovered in the browser engine. A variable could be made to overflow causing Thunderbird to crash. If a user enable JavaScript and was tricked into opening a malicious web page, an attacker could cause a denial of service or possibly execute arbitrary code with the privileges of the user invoking the program. (CVE-2008-2785)

Mozilla developers audited the MIME handling code looking for similar vulnerabilities to the previously fixed CVE-2008-0304, and changed several function calls to use safer versions of string routines.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200805-18 (Mozilla products: Multiple vulnerabilities)

    The following vulnerabilities were reported in all mentioned Mozilla     products:
    Jesse Ruderman, Kai Engert, Martijn Wargers, Mats Palmgren, and Paul     Nickerson reported browser crashes related to JavaScript methods,     possibly triggering memory corruption (CVE-2008-0412).
    Carsten Book, Wesley Garland, Igor Bukanov, moz_bug_r_a4, shutdown,     Philip Taylor, and tgirmann reported crashes in the JavaScript engine,     possibly triggering memory corruption (CVE-2008-0413).
    David Bloom discovered a vulnerability in the way images are treated by     the browser when a user leaves a page, possibly triggering memory     corruption (CVE-2008-0419).
    moz_bug_r_a4, Boris Zbarsky, and Johnny Stenback reported a series of     privilege escalation vulnerabilities related to JavaScript     (CVE-2008-1233, CVE-2008-1234, CVE-2008-1235).
    Mozilla developers identified browser crashes caused by the layout and     JavaScript engines, possibly triggering memory corruption     (CVE-2008-1236, CVE-2008-1237).
    moz_bug_r_a4 and Boris Zbarsky discovered that pages could escape from     its sandboxed context and run with chrome privileges, and inject script     content into another site, violating the browser's same origin policy     (CVE-2008-0415).
    Gerry Eisenhaur discovered a directory traversal vulnerability when     using 'flat' addons (CVE-2008-0418).
    Alexey Proskuryakov, Yosuke Hasegawa and Simon Montagu reported     multiple character handling flaws related to the backspace character,     the '0x80' character, involving zero-length non-ASCII sequences in     multiple character sets, that could facilitate Cross-Site Scripting     attacks (CVE-2008-0416).
    The following vulnerability was reported in Thunderbird and SeaMonkey:
    regenrecht (via iDefense) reported a heap-based buffer overflow when     rendering an email message with an external MIME body (CVE-2008-0304).
    The following vulnerabilities were reported in Firefox, SeaMonkey and     XULRunner:
    The fix for CVE-2008-1237 in Firefox 2.0.0.13     and SeaMonkey 1.1.9 introduced a new crash vulnerability     (CVE-2008-1380).
    hong and Gregory Fleischer each reported a     variant on earlier reported bugs regarding focus shifting in file input     controls (CVE-2008-0414).
    Gynvael Coldwind (Vexillium) discovered that BMP images could be used     to reveal uninitialized memory, and that this data could be extracted     using a 'canvas' feature (CVE-2008-0420).
    Chris Thomas reported that background tabs could create a borderless     XUL pop-up in front of pages in other tabs (CVE-2008-1241).
    oo.rio.oo discovered that a plain text file with a     'Content-Disposition: attachment' prevents Firefox from rendering     future plain text files within the browser (CVE-2008-0592).
    Martin Straka reported that the '.href' property of stylesheet DOM     nodes is modified to the final URI of a 302 redirect, bypassing the     same origin policy (CVE-2008-0593).
    Gregory Fleischer discovered that under certain circumstances, leading     characters from the hostname part of the 'Referer:' HTTP header are     removed (CVE-2008-1238).
    Peter Brodersen and Alexander Klink reported that the browser     automatically selected and sent a client certificate when SSL Client     Authentication is requested by a server (CVE-2007-4879).
    Gregory Fleischer reported that web content fetched via the 'jar:'     protocol was not subject to network access restrictions     (CVE-2008-1240).
    The following vulnerabilities were reported in Firefox:
    Justin Dolske discovered a CRLF injection vulnerability when storing     passwords (CVE-2008-0417).
    Michal Zalewski discovered that Firefox does not properly manage a     delay timer used in confirmation dialogs (CVE-2008-0591).
    Emil Ljungdahl and Lars-Olof Moilanen discovered that a web forgery     warning dialog is not displayed if the entire contents of a web page     are in a DIV tag that uses absolute positioning (CVE-2008-0594).
  Impact :

    A remote attacker could entice a user to view a specially crafted web     page or email that will trigger one of the vulnerabilities, possibly     leading to the execution of arbitrary code or a Denial of Service. It     is also possible for an attacker to trick a user to upload arbitrary     files when submitting a form, to corrupt saved passwords for other     sites, to steal login credentials, or to conduct Cross-Site Scripting     and Cross-Site Request Forgery attacks.
  Workaround :

    There is no known workaround at this time.

It was discovered that Thunderbird did not properly set the size of a buffer when parsing an external-body MIME-type. If a user were to open a specially crafted email, an attacker could cause a denial of service via application crash or possibly execute arbitrary code as the user.
(CVE-2008-0304)

Various flaws were discovered in Thunderbird and its JavaScript engine. By tricking a user into opening a malicious message, an attacker could execute arbitrary code with the user's privileges.
(CVE-2008-0412, CVE-2008-0413)

Various flaws were discovered in the JavaScript engine. By tricking a user into opening a malicious message, an attacker could escalate privileges within Thunderbird, perform cross-site scripting attacks and/or execute arbitrary code with the user's privileges.
(CVE-2008-0415)

Gerry Eisenhaur discovered that the chrome URI scheme did not properly guard against directory traversal. Under certain circumstances, an attacker may be able to load files or steal session data. Ubuntu is not vulnerable in the default installation. (CVE-2008-0418)

Flaws were discovered in the BMP decoder. By tricking a user into opening a specially crafted BMP file, an attacker could obtain sensitive information. (CVE-2008-0420).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New mozilla-thunderbird packages are available for Slackware 10.2, 11.0, 12.0, and -current to fix security issues.

Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. A HTML mail message containing malicious content could cause Thunderbird to crash, or potentially execute arbitrary code as the user running Thunderbird. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419) Several flaws were found in the way Thunderbird displayed malformed HTML mail content. A HTML mail message containing specially crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593) A flaw was found in the way Thunderbird handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious HTML mail message to steal sensitive session data. Note: this flaw does not affect a default installation of Thunderbird. (CVE-2008-0418) Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled. A flaw was found in the way Thunderbird saves certain text files. If a remote site offers a file of type 'plain/text', rather than 'text/plain', Thunderbird will not show future 'text/plain' content to the user, forcing them to save those files locally to view the content.
(CVE-2008-0592) Users of thunderbird are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The installed version of Thunderbird is affected by various security issues :

  - Several stability bugs exist leading to crashes which, in     some cases, show traces of memory corruption.

  - Several issues exist that allow scripts from page     content to escape from their sandboxed context and/or     run with chrome privileges, resulting in privilege     escalation, cross-site scripting, and/or remote code     execution.

  - A directory traversal vulnerability exist via the     'chrome:' URI.

  - A heap-based buffer overflow exists that can be     triggered when viewing an email with an external MIME     body.

  - Multiple cross-site scripting vulnerabilities     exist related to character encoding.

Updated thunderbird packages that fix several security issues are now available for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

[Updated 27th February 2008] The erratum text has been updated to include the details of additional issues that were fixed by these erratum packages, but which were not public at the time of release. No changes have been made to the packages.

Mozilla Thunderbird is a standalone mail and newsgroup client.

A heap-based buffer overflow flaw was found in the way Thunderbird processed messages with external-body Multipurpose Internet Message Extensions (MIME) types. A HTML mail message containing malicious content could cause Thunderbird to execute arbitrary code as the user running Thunderbird. (CVE-2008-0304)

Several flaws were found in the way Thunderbird processed certain malformed HTML mail content. A HTML mail message containing malicious content could cause Thunderbird to crash, or potentially execute arbitrary code as the user running Thunderbird. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way Thunderbird displayed malformed HTML mail content. A HTML mail message containing specially crafted content could trick a user into surrendering sensitive information.
(CVE-2008-0420, CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way Thunderbird handles certain chrome URLs.
If a user has certain extensions installed, it could allow a malicious HTML mail message to steal sensitive session data. Note: this flaw does not affect a default installation of Thunderbird. (CVE-2008-0418)

Note: JavaScript support is disabled by default in Thunderbird; the above issues are not exploitable unless JavaScript is enabled.

A flaw was found in the way Thunderbird saves certain text files. If a remote site offers a file of type 'plain/text', rather than 'text/plain', Thunderbird will not show future 'text/plain' content to the user, forcing them to save those files locally to view the content. (CVE-2008-0592)

Users of thunderbird are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

Updated SeaMonkey packages that fix several security issues are now available for Red Hat Enterprise Linux 2.1, 3, and 4.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

SeaMonkey is an open source Web browser, advanced email and newsgroup client, IRC chat client, and HTML editor.

Several flaws were found in the way SeaMonkey processed certain malformed web content. A webpage containing malicious content could cause SeaMonkey to crash, or potentially execute arbitrary code as the user running SeaMonkey. (CVE-2008-0412, CVE-2008-0413, CVE-2008-0415, CVE-2008-0419)

Several flaws were found in the way SeaMonkey displayed malformed web content. A webpage containing specially crafted content could trick a user into surrendering sensitive information. (CVE-2008-0591, CVE-2008-0593)

A flaw was found in the way SeaMonkey stored password data. If a user saves login information for a malicious website, it could be possible to corrupt the password database, preventing the user from properly accessing saved password data. (CVE-2008-0417)

A flaw was found in the way SeaMonkey handles certain chrome URLs. If a user has certain extensions installed, it could allow a malicious website to steal sensitive session data. Note: this flaw does not affect a default installation of SeaMonkey. (CVE-2008-0418)

A flaw was found in the way SeaMonkey saves certain text files. If a website offers a file of type 'plain/text', rather than 'text/plain', SeaMonkey will not show future 'text/plain' content to the user in the browser, forcing them to save those files locally to view the content.
(CVE-2008-0592)

Users of SeaMonkey are advised to upgrade to these updated packages, which contain backported patches to resolve these issues.

The installed version of Thunderbird is missing a critical patch. The vendor has released a patch that addresses a number of remote vulnerabilities. 

The installed version of SeaMonkey is affected by various security issues :

  - Several stability bugs leading to crashes which, in     some cases, show traces of memory corruption

  - Several file input focus stealing vulnerabilities     that could result in uploading of arbitrary files     provided their full path and file names are known.

  - Several issues that allow scripts from page content     to escape from their sandboxed context and/or run     with chrome privileges, resulting in privilege     escalation, XSS, and/or remote code execution.

  - A directory traversal vulnerability via the     'chrome:' URI.

  - A vulnerability involving 'designMode' frames that     may result in web browsing history and forward     navigation stealing.

  - An information disclosure issue in the BMP     decoder.

  - Mis-handling of locally-saved plaintext files.

  - Possible disclosure of sensitive URL parameters,     such as session tokens, via the .href property of     stylesheet DOM nodes reflecting the final URI of     the stylesheet after following any 302 redirects.

  - A heap-based buffer overflow that can be triggered     when viewing an email with an external MIME     body.

  - Multiple cross-site scripting vulnerabilities     related to character encoding.

ID	Name	Product	Family	Severity
67649	Oracle Linux 4 : thunderbird (ELSA-2008-0105)	Nessus	Oracle Linux Local Security Checks	high
67648	Oracle Linux 3 / 4 : seamonkey (ELSA-2008-0104)	Nessus	Oracle Linux Local Security Checks	high
65107	Ubuntu 6.06 LTS / 6.10 / 7.04 : mozilla-thunderbird (USN-582-2)	Nessus	Ubuntu Local Security Checks	high
37545	Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2008:062)	Nessus	Mandriva Local Security Checks	high
35314	Debian DSA-1697-1 : iceape - several vulnerabilities	Nessus	Debian Local Security Checks	critical
33741	Debian DSA-1621-1 : icedove - several vulnerabilities	Nessus	Debian Local Security Checks	critical
33587	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : mozilla-thunderbird, thunderbird vulnerabilities (USN-629-1)	Nessus	Ubuntu Local Security Checks	critical
32416	GLSA-200805-18 : Mozilla products: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
31341	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : mozilla-thunderbird, thunderbird vulnerabilities (USN-582-1)	Nessus	Ubuntu Local Security Checks	high
31323	Slackware 10.2 / 11.0 / 12.0 / current : mozilla-thunderbird (SSA:2008-061-01)	Nessus	Slackware Local Security Checks	high
31318	Fedora 7 : thunderbird-2.0.0.12-1.fc7 (2008-2118)	Nessus	Fedora Local Security Checks	high
31314	Fedora 8 : thunderbird-2.0.0.12-1.fc8 (2008-2060)	Nessus	Fedora Local Security Checks	high
31193	Mozilla Thunderbird < 2.0.0.12 Multiple Vulnerabilities	Nessus	Windows	high
30247	RHEL 4 / 5 : thunderbird (RHSA-2008:0105)	Nessus	Red Hat Local Security Checks	high
30246	RHEL 2.1 / 3 / 4 : seamonkey (RHSA-2008:0104)	Nessus	Red Hat Local Security Checks	high
30222	CentOS 4 / 5 : thunderbird (CESA-2008:0105)	Nessus	CentOS Local Security Checks	high
30221	CentOS 3 / 4 : seamonkey (CESA-2008:0104)	Nessus	CentOS Local Security Checks	high
4367	Mozilla Thunderbird < 2.0.0.12 Multiple Vulnerabilities	Nessus Network Monitor	SMTP Clients	high
30210	SeaMonkey < 1.1.8 Multiple Vulnerabilities	Nessus	Windows	high

Detections

Analytics

CVE-2008-0304

critical

Tenable Plugins

high

high

high

high

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high