GLSA-200507-17 : Mozilla Thunderbird: Multiple vulnerabilities

Medium Nessus Plugin ID 19222


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200507-17 (Mozilla Thunderbird: Multiple vulnerabilities)

The following vulnerabilities were found and fixed in Mozilla Thunderbird:
'moz_bug_r_a4' and 'shutdown' discovered that Thunderbird was improperly cloning base objects (MFSA 2005-56).
'moz_bug_r_a4' also reported that Thunderbird was overly trusting contents, allowing privilege escalation via property overrides (MFSA 2005-41, 2005-44), that it failed to validate XHTML DOM nodes properly (MFSA 2005-55), and that XBL scripts ran even when JavaScript is disabled (MFSA 2005-46).
'shutdown' discovered a possibly exploitable crash in InstallVersion.compareTo (MFSA 2005-50).
Andreas Sandblad from Secunia reported that a child frame can call top.focus() even if the framing page comes from a different origin and has overridden the focus() routine (MFSA 2005-52).
Georgi Guninski reported missing Install object instance checks in the native implementations of XPInstall-related JavaScript objects (MFSA 2005-40).
Finally, Vladimir V.
Perepelitsa discovered a memory disclosure bug in JavaScript's regular expression string replacement when using an anonymous function as the replacement argument (CAN-2005-0989 and MFSA 2005-33).
Impact :

A remote attacker could craft malicious email messages that would leverage these issues to inject and execute arbitrary script code with elevated privileges or help in stealing information.
Workaround :

There are no known workarounds for all the issues at this time.


All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-1.0.5' All Mozilla Thunderbird binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-bin-1.0.5'

See Also

Plugin Details

Severity: Medium

ID: 19222

File Name: gentoo_GLSA-200507-17.nasl

Version: $Revision: 1.14 $

Type: local

Published: 2005/07/18

Modified: 2015/04/13

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mozilla-thunderbird, p-cpe:/a:gentoo:linux:mozilla-thunderbird-bin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Patch Publication Date: 2005/07/18

Vulnerability Publication Date: 2005/04/01

Reference Information

CVE: CVE-2005-0989

OSVDB: 15682

GLSA: 200507-17