GLSA-200507-17 : Mozilla Thunderbird: Multiple vulnerabilities

medium Nessus Plugin ID 19222

Synopsis

The remote Gentoo host is missing one or more security-related patches.

Description

The remote host is affected by the vulnerability described in GLSA-200507-17 (Mozilla Thunderbird: Multiple vulnerabilities)

The following vulnerabilities were found and fixed in Mozilla Thunderbird:
'moz_bug_r_a4' and 'shutdown' discovered that Thunderbird was improperly cloning base objects (MFSA 2005-56).
'moz_bug_r_a4' also reported that Thunderbird was overly trusting contents, allowing privilege escalation via property overrides (MFSA 2005-41, 2005-44), that it failed to validate XHTML DOM nodes properly (MFSA 2005-55), and that XBL scripts ran even when JavaScript is disabled (MFSA 2005-46).
'shutdown' discovered a possibly exploitable crash in InstallVersion.compareTo (MFSA 2005-50).
Andreas Sandblad from Secunia reported that a child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine (MFSA 2005-52).
Georgi Guninski reported missing Install object instance checks in the native implementations of XPInstall-related JavaScript objects (MFSA 2005-40).
Finally, Vladimir V.
Perepelitsa discovered a memory disclosure bug in JavaScript's regular expression string replacement when using an anonymous function as the replacement argument (CAN-2005-0989 and MFSA 2005-33).
Impact :

A remote attacker could craft malicious email messages that would leverage these issues to inject and execute arbitrary script code with elevated privileges or help in stealing information.
Workaround :

There are no known workarounds for all the issues at this time.

Solution

All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-1.0.5' All Mozilla Thunderbird binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-bin-1.0.5'

See Also

http://www.nessus.org/u?92848d5a

https://security.gentoo.org/glsa/200507-17

Plugin Details

Severity: Medium

ID: 19222

File Name: gentoo_GLSA-200507-17.nasl

Version: 1.17

Type: local

Published: 7/18/2005

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mozilla-thunderbird, p-cpe:/a:gentoo:linux:mozilla-thunderbird-bin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 7/18/2005

Vulnerability Publication Date: 4/1/2005

Reference Information

CVE: CVE-2005-0989

GLSA: 200507-17