GLSA-200703-18 : Mozilla Thunderbird: Multiple vulnerabilities

high Nessus Plugin ID 24867

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200703-18 (Mozilla Thunderbird: Multiple vulnerabilities)

Georgi Guninski reported a possible integer overflow in the code handling text/enhanced or text/richtext MIME emails. Additionally, various researchers reported errors in the JavaScript engine potentially leading to memory corruption. Additionally, the binary version of Mozilla Thunderbird includes a vulnerable NSS library which contains two possible buffer overflows involving the SSLv2 protocol.
Impact :

An attacker could entice a user to read a specially crafted email that could trigger one of the vulnerabilities, some of them being related to Mozilla Thunderbird's handling of JavaScript, possibly leading to the execution of arbitrary code.
Workaround :

There is no known workaround at this time for all of these issues, but some of them can be avoided by disabling JavaScript. Note that the execution of JavaScript is disabled by default and enabling it is strongly discouraged.

Solution

All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-1.5.0.10' All Mozilla Thunderbird binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-bin-1.5.0.10'

See Also

https://security.gentoo.org/glsa/200703-18

Plugin Details

Severity: High

ID: 24867

File Name: gentoo_GLSA-200703-18.nasl

Version: 1.17

Type: local

Published: 3/19/2007

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mozilla-thunderbird, p-cpe:/a:gentoo:linux:mozilla-thunderbird-bin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Ease: No known exploits are available

Patch Publication Date: 3/18/2007

Vulnerability Publication Date: 2/23/2007

Reference Information

CVE: CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, CVE-2007-1282

CWE: 119, 189

GLSA: 200703-18