GLSA-200703-18 : Mozilla Thunderbird: Multiple vulnerabilities

High Nessus Plugin ID 24867


The remote Gentoo host is missing one or more security-related patches.


The remote host is affected by the vulnerability described in GLSA-200703-18 (Mozilla Thunderbird: Multiple vulnerabilities)

Georgi Guninski reported a possible integer overflow in the code handling text/enhanced or text/richtext MIME emails. Additionally, various researchers reported errors in the JavaScript engine potentially leading to memory corruption. Additionally, the binary version of Mozilla Thunderbird includes a vulnerable NSS library which contains two possible buffer overflows involving the SSLv2 protocol.
Impact :

An attacker could entice a user to read a specially crafted email that could trigger one of the vulnerabilities, some of them being related to Mozilla Thunderbird's handling of JavaScript, possibly leading to the execution of arbitrary code.
Workaround :

There is no known workaround at this time for all of these issues, but some of them can be avoided by disabling JavaScript. Note that the execution of JavaScript is disabled by default and enabling it is strongly discouraged.


All Mozilla Thunderbird users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-' All Mozilla Thunderbird binary users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose '>=mail-client/mozilla-thunderbird-bin-'

See Also

Plugin Details

Severity: High

ID: 24867

File Name: gentoo_GLSA-200703-18.nasl

Version: 1.16

Type: local

Published: 2007/03/19

Updated: 2019/08/02

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:mozilla-thunderbird, p-cpe:/a:gentoo:linux:mozilla-thunderbird-bin, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2007/03/18

Vulnerability Publication Date: 2007/02/23

Reference Information

CVE: CVE-2007-0008, CVE-2007-0009, CVE-2007-0775, CVE-2007-0776, CVE-2007-0777, CVE-2007-1282

GLSA: 200703-18

CWE: 119, 189